Closed Bug 299497 Opened 19 years ago Closed 19 years ago

Firefox doesn't store the password correctly when it's hashed by a Javascript function when the form is submitted


(Toolkit :: Password Manager, defect)

Not set





(Reporter: mirrorball, Unassigned)




User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Simple Machines is a forum software and their new 1.1 version has a feature that
is causing problems with password management in Firefox. When login forms are
submitted, a Javascript function hashes the password (it's called by the
onsubmit attribute of the form element). But Firefox doesn't store the typed
password correctly, it just stores a lot of *s. On the official SMF forums they
said it is a Firefox bug because the program has to store what was in the input
field before form submission.

Reproducible: Always

Steps to Reproduce:
1. Go to a forum running SMF v1.1.
2. Fill in the login form with login and password.
3. Tell Firefox to store the password.
4. Logout.
5. When the login form is automatically filled by the browser, hit submit.
Actual Results:  
An error message saying that the password is incorrect is displayed.
Going to Edit -> Preferences -> View saved passwords -> Show passwords reveals
that the password hadn't been stored, just a lot of *s.

Expected Results:  
It should have stored what was typed before it's hashed.

Here are the hashing function and the login form.

<script language="JavaScript" type="text/javascript"><!-- // --><![CDATA[
			function hashPassword()
				if (typeof(hex_sha1) == "undefined")
				// Are they using an email address?
				if (document.frmLogin.user.value.indexOf("@") != -1)

				document.frmLogin.hash_passwrd.value =
hex_sha1(hex_sha1(document.frmLogin.user.value.toLowerCase() +
document.frmLogin.passwrd.value) + "3f4a91bea2c2d3a07de3736d296d5b28");
				document.frmLogin.passwrd.value =
document.frmLogin.passwrd.value.replace(/./g, "*");
		// ]]></script>

		<form action=""
name="frmLogin" method="post" style="margin-top: 4ex;" onsubmit="hashPassword();">

			<table border="0" width="400" cellspacing="0" cellpadding="4" class="tborder"
				<tr class="titlebg">
					<td colspan="2">
alt="" align="top" /> Login
				</tr><tr class="windowbg">
					<td width="50%" align="right"><b>Username:</b></td>
					<td><input type="text" name="user" size="20" value="" /></td>

				</tr><tr class="windowbg">
					<td align="right"><b>Password:</b></td>
					<td><input type="password" name="passwrd" value="" size="20" /></td>
				</tr><tr class="windowbg">
					<td align="right"><b>Minutes to stay logged in:</b></td>
					<td><input type="text" name="cookielength" size="4" maxlength="4"
value="60" /></td>
				</tr><tr class="windowbg">
					<td align="right"><b>Always stay logged in:</b></td>

					<td><input type="checkbox" name="cookieneverexp" class="check"
onclick="document.frmLogin.cookielength.disabled = this.checked;" /></td>
				</tr><tr class="windowbg">
					<td align="center" colspan="2"><input type="submit" value="Login"
style="margin-top: 2ex;" /></td>
				</tr><tr class="windowbg">
					<td align="center" colspan="2" class="smalltext"><a
your password?</a><br /><br /></td>

			<input type="hidden" name="hash_passwrd" value="" />

> because the program *has to* store what was in the input field *before* form

Carolina, what offiial document defines that "program *has to* store *before*
onsubmit event handler scheduling, insted of when submit is executed"?
And what does the "program" mean?
 - JavaScript engine & Browser? User JavaScript program? 
Firefox. I didn't read any official documents, I'm just telling what they said.
Challenge authentication via JavaScript is becoming more and more common
practice; for example, vBulletin 3 does it as well to my knowledge.

If there is an onsubmit function which modifies the value of a password or
username field to be stored, it seems logical that the values should be saved
before, not after, that function is run.  This is because, again logically, one
might assume that it will modify it the same way every time - and if you give it
the result of the last time, it might change it even differently.

That said, SMF does do differently than other software in cases; it replaces the
current password with a string of the same length of asterisks (so as not to
annoy the user.)  Most challenge implementations clear the password instead,
which probably simply makes the password manager save nothing.

Looks like a duplicate of bug 257781.

*** This bug has been marked as a duplicate of 257781 ***
Closed: 19 years ago
Resolution: --- → DUPLICATE
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.