Closed Bug 270558 Opened 20 years ago Closed 18 years ago

Password manager should not fill in username and password if the username field is pre-filled by the server to a different username. (frequent problem with phpBB admin interface)

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: ungerthom, Assigned: philor)

References

Details

(Keywords: dataloss, regression, verified1.8.1)

Attachments

(3 files, 2 obsolete files)

testcase for saving
244 bytes, text/html
Details
testcase for clobbering
281 bytes, text/html
Details
Fixed and commented
3.24 KB, patch
bryner
: review+
mconnor
: approval-branch-1.8.1+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

The password manager is filling in text fields on pages where it's not been
asked to.

I discovered this problem while administrating a phpBB (www.phpbb.com) message
board.


Reproducible: Always
Steps to Reproduce:
1. When using phpBB, I log on to the board using the "admin" account and save
the username and password for future use.
2. I then go to the admin panel to lookup user information (Admin Panel->User
Admin->Management).  
3. I enter a username, and the form appears with the user information, but the
username data in the username text field is immediately overwritten with the
word "admin".  
4. If I view the source of the page, the correct username is there.


Actual Results:  
The incorrect username is being displayed, even though the html source has the
correct username.  If I then hit "Submit" to save the data, a box pops up asking
me to "Confirm Password Change".  When I click "Cancel", it goes ahead and
submits the page, but with the incorrect username.

Expected Results:  
Left the username field alone and not prompted me to "Confirm Password Change"
when the page has nothing to do with that.

It is a potentially major bug, given that valid data could be easily overwritten
in this example, and presumably elsewhere as well.

I suspect it has to do with the following: the userdata is being displayed in a
frame that was opened by the original
http://localhost/components/com_forum/admin/index.php that handled the initial
logon.  Even though the sub-frame? is a different url
(http://localhost/components/com_forum/admin/admin_users.php), the password
manager thinks it's still on the index.php page, and the textfield is presumably
named the same as the logon text field.
Its more than password manager saves passwords by domain, not by page.  And of
course the phpBB form has the names "username" and "password" iirc, which just
makes for great fun.  Quick'n'dirty hack is to hack the board to use different
fieldnames and make sure to unhack them after the form submit, but I'll admit
that's kinda annoying.

The password "memory" is per domain, not per page. Whether it should be a per
page setting is debatable, since sometimes you'd prefer the password to remain
regardless of any site changes (ie. login page is changed from login.htm to
login.html on the site). Using the full URL isn't really reliable anyways, since
they're often dynamic and can vary.
Severity: major → normal
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: PC → All
Summary: Legitimate form text field data gets overwritten by username saved in PW Manager on a different page. → Page form data is overwritten by saved data from another page (remembers passwords per domain, not per page)
*** Bug 273305 has been marked as a duplicate of this bug. ***
*** Bug 259760 has been marked as a duplicate of this bug. ***
Summary: Page form data is overwritten by saved data from another page (remembers passwords per domain, not per page) → Page form data is overwritten by saved data from another page (remembers passwords per domain, not per page; frequently seen with phpBB)
Someone with sufficient authorisation might want to compare to bug 112260, as it
appears to be the same problem
Whiteboard: See also bug 112260 (Seamonkey)
*** Bug 276514 has been marked as a duplicate of this bug. ***
Attached file testcase for saving 

    
    

    
  


  

    
    

    
  
This is actually a regression of this particular case, from bug 229762 - the fix
there didn't quite match Ben's suggested logic, which was

if (page default value)
  if (page default value == any of the saved signons)
    pwmgr fill password for that signon
  else
    do nothing, attach autocomplete widget.
else
  if (more than one signon)
    do nothing, attach autocomplete widget
  else
    prefill username and password

what we have now instead is

if (page default value)
  if (page default value == any of the saved signons)
    pwmgr fill password for that signon
  else
    if (more than one signon)
      do nothing, attach autocomplete widget.
    else
      prefill username and password
else
  if (more than one signon)
    do nothing, attach autocomplete widget
  else
    prefill username and password

which makes for a rather odd workaround for forum admins: save two logins, and
when you log in you'll have to click, down-arrow in the username textbox to use
autocomplete to pick the real one, but then on user admin pages pwdmgr won't
clobber the HTML-supplied username and password.

STR:

1. Load attachment 170787 [details] and submit any user/pass, and let pwdmgr save it
2. Load attachment 170788 [details] and note that your user/pass is filled in, clobbering
what the HTML supplied.
3. Back to attachment 170787 [details] and have pwdmgr save a different user/pass.
4. Back to attachment 170788 [details] and note that the "HTML supplied" user/pass is
filled in.
Flags: blocking-aviary1.1?
Keywords: regression

    
    

    
  
*** Bug 277687 has been marked as a duplicate of this bug. ***

    
    

    
  
I have to chip in on the problems with this. I seems that it would be a lot
smarter for the password autofill to only kick in if the form fields on the page
are blank - not when they have a value set by the HTML code. 

This is creating severe problems with several of the applications we use here at
work. 

    
    

    
  
*** Bug 296841 has been marked as a duplicate of this bug. ***

    
    

    
  
this may be related/a dupe, but if bryner has cycles I'd like to get this.
Flags: blocking-aviary1.1? → blocking1.8b4?
Flags: blocking1.8b4? → blocking1.8b4-

    
    

    
  
*** Bug 306121 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 290298 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 306298 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 259841 has been marked as a duplicate of this bug. ***

    
  
Blocks: 229762

    
    

    
  
This bug is still present in Firefox 1.5 Beta 1:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4

    
    

    
  
*** Bug 309312 has been marked as a duplicate of this bug. ***

    
  
Keywords: dataloss

    
    

    
  
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

Confirming, I see it too. Doesn't seem to have disappeared in Firefox 1.5.

    
    

    
  
(In reply to comment #19)
> *** Bug 309312 has been marked as a duplicate of this bug. ***
> 

I'm sorry to insist but these bugs can't be duplicates because 270558 is a mozilla-firefox bug and 309312 is on Mozilla Application Suite

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix (obsolete)
        — Splinter Review
      

    


  
Remember whether it was prefilled until the "fill one un/pw pair" step.
Assignee: bryner → bugzilla
Status: NEW → ASSIGNED

        Attachment #206577 -
        Flags: review?(bryner)

    
  
Flags: blocking-aviary2?
Flags: blocking-firefox2? → blocking-firefox2+

    
    

    
  
*** Bug 324411 has been marked as a duplicate of this bug. ***

    
    

    
  

      
      
      
      

        Attached patch
          
          
        unrotted (obsolete)
        — Splinter Review
      

    


  

        Attachment #206577 -
        Attachment is obsolete: true

        Attachment #212419 -
        Flags: review?(bryner)

        Attachment #206577 -
        Flags: review?(bryner)

    
    

    
  
Comment on attachment 212419 [details] [diff] [review]
unrotted

Looks ok, but can you add a comment about what prefilledUser indicates?

Post a new patch with the added comment and I'll go ahead and check it in if you'd like.  Thanks!

        Attachment #212419 -
        Flags: review?(bryner) → review+

    
    

    
  
Gah, just like it should, writing documentation (down at the "if (firstMatch && !attachedToInput" where I was most confused) made me realize I'd done it wrong: if the page prefills, and we have one saved username that doesn't match, we still need to attach the autocomplete listener so we can fill the password if the user changes to our username. New patch once I sort that out.

    
  

        Attachment #212419 -
        Attachment is obsolete: true

        Attachment #212419 -
        Flags: review+ → review-

    
    

    
  


  
Filed bug 327977 on overwriting a password-only form, because that's either unsolvable or needs a different solution. This patch should cover every case for username/password forms, if I didn't miss anything in:

not prefilled
  no saved
  one saved
  two saved
    after filling first, change to second
user prefilled, pass not
  no saved
  one (same as prefill) saved
  one (not same as prefill) saved
  two (one is prefill) saved
    change to second
  two (neither is prefill) saved
    change to first
    change to second
user and pass prefilled
  no saved
  one (same as prefill) saved
  one (not same as prefill) saved
  two (one is prefill) saved
    change to second
  two (neither is prefill) saved
    change to first
    change to second

        Attachment #212538 -
        Flags: review?(bryner)

        Attachment #212538 -
        Flags: review?(bryner) → review+

    
    

    
  
checked in, thanks.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 212538 [details] [diff] [review]
Fixed and commented

branch? i think so

        Attachment #212538 -
        Flags: approval-branch-1.8.1?(mconnor)

    
  
Summary: Page form data is overwritten by saved data from another page (remembers passwords per domain, not per page; frequently seen with phpBB) → Page form data is overwritten by saved data from another page (frequently seen with phpBB)

        Attachment #212538 -
        Flags: approval-branch-1.8.1?(mconnor) → approval-branch-1.8.1+

    
    

    
  
patch doesn't seem to apply cleanly to the branch, didn't really look into it

    
    

    
  
It should just need bug 235336 to bitrot it again on the branch, and then the current patch should apply fine over that.

    
    

    
  
See also bug 112260 (Seamonkey)
Whiteboard: See also bug 112260 (Seamonkey) → [checkin needed (1.8 branch)]
Keywords: fixed1.8.1
Whiteboard: [checkin needed (1.8 branch)]

    
    

    
  
(In reply to comment #27)
> Created an attachment (id=212538) [edit]
> +    // and fill in the username and password  only if the HTML didn't prefill
> +    // the username.

This is really annyoing on sites that prefill their login field with "name", "login" or s.th. like that; which is quite common, I think.
Some days ago I thought this new behaviour was a bug. Now I'm kind of irritated to see that it's a bug fix.

    
    

    
  
*** Bug 331441 has been marked as a duplicate of this bug. ***

    
  
Summary: Page form data is overwritten by saved data from another page (frequently seen with phpBB) → Password manager should not fill in username and password if the username field is pre-filled by the server to a different username. (frequent problem with phpBB admin interface)

    
    

    
  
*** Bug 334237 has been marked as a duplicate of this bug. ***

    
    

    
  
Bloscks 1.5.0.2

    
    

    
  
(In reply to comment #33)
> (In reply to comment #27)
> > Created an attachment (id=212538) [edit]
> > +    // and fill in the username and password  only if the HTML didn't prefill
> > +    // the username.
> 
> This is really annyoing on sites that prefill their login field with "name",
> "login" or s.th. like that; which is quite common, I think.
> Some days ago I thought this new behaviour was a bug. Now I'm kind of irritated
> to see that it's a bug fix.
> 

Yes, quite a number of different forum softwares have "username" and "password" prefilled in the login form.
This bug can be especially troublesome on forums that use the same field name for multiple purposes. Acmlmboard demonstrates this; the names that are used for the username and password on the login page are also used to change a user's name and password on the user editing admin panel. Having your password remembered means any time you use the user editor panel, you have to remember to clear out the password box and enter their username, or else their name/pass is changed to yours. I suspect many similar apps do the same.

    
    

    
  
I would like to know when the fixed version be released

    
    

    
  
*** Bug 335719 has been marked as a duplicate of this bug. ***

    
    

    
  
There are still major bugs in the behaviour of the password manager.. on our customer extranet, the password manager pops up whenever a customer tries to change the password of a mailbox, ftp password, database password or other password in an html form with password fields.  These passwords have nothing to do with the password manager, that keeps popping up just because the password manager has an entry in the same domain... In my opinion the password manager should look at the domain IN COMBINATION with the names of the input fields.. The page url is not an option because this can change often and there can be multiple html password form on the same url... One other thing : when I have a form with 3 password fields (one for the current password, 2 for the new passwords) which field is considered ? The password manager pops up even if the new passwords do not match... 

> The password "memory" is per domain, not per page. Whether it should be a per
> page setting is debatable, since sometimes you'd prefer the password to remain
> regardless of any site changes (ie. login page is changed from login.htm to
> login.html on the site). Using the full URL isn't really reliable anyways, since
> they're often dynamic and can vary.



    
    

    
  
Verified FIXED using Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1b1) Gecko/20060803 BonEcho/2.0b1.

Using attachment 170788 [details] the password manager does not override the pre-filled text with my saved password.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1verified1.8.1

    
    

    
  
(In reply to comment #2)
> The password "memory" is per domain, not per page. Whether it should be a per
> page setting is debatable, since sometimes you'd prefer the password to remain
> regardless of any site changes (ie. login page is changed from login.htm to
> login.html on the site). Using the full URL isn't really reliable anyways, since
> they're often dynamic and can vary.

What about adding an option to let the user choose whether to remember passwords per page or per domain?

There are cases when remembering per domain is just not useful, and remembering per page is required, and doesn't have side-effects (e.g. mailman administration of multiple mailing lists on the same domain: only the password of one list is currently remembered)
Product: Firefox → Toolkit

    
    

    
  
(In reply to Adam Guthrie from comment #41)
> Using attachment 170788 [details] the password manager does not override the
> pre-filled text with my saved password.

Not always.

PW-mgr clobbers the pre-filled password with the saved password as soon as I click the username field and press submit. Why is this? Does this warrant a reopen or even a new bug?

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20100101 Firefox/11.0

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: