372942 - Safari's "Never remember" items are being treated as accounts

Status: RESOLVED FIXED

(Camino Graveyard :: OS Integration, defect)

Description

[Stuart Morgan]

Whee, more keychain bugs!

Right now, going to a site that's been Never Remember-ed in Safari causes us to pick up that item and fill the username as "Passwords not saved". We need to check kSecNegativeItemAttr (which I really hope they are setting); probably we won't honor these entries as such for 1.1, but we should definitely skip them.

Comment 1

[Stuart Morgan]

Attachment: workaround

> We need to check kSecNegativeItemAttr (which I really hope they are setting);

Ah, wouldn't that be great. But of course, they don't, because they like to treat the KS documentation recommendations as a list of things not to do.

This just looks for a password consisting only of a space; it seems highly unlikely that anyone would legitimately use (or even be able to use on most sites) that as a password.

Comment 2

[Josh Aas]

Comment on attachment 257681 [details] [diff] [review]
workaround

+      // Safari's doesn't bother to set kSecNegativeItemAttr on "Passwords not saved"

s/Safari's/Safari/

Comment 3

[Stuart Morgan]

Comment on attachment 257681 [details] [diff] [review]
workaround

I'll fix the comment on checkin.

Comment 4

[Mike Pinkerton (not reading bugmail)]

Comment on attachment 257681 [details] [diff] [review]
workaround

sr=pink

that's ass.

Comment 5

[Stuart Morgan]

Checked in on trunk and MOZILLA_1_8_BRANCH.

Comment 6

[Colin Barrett [:cbarrett]]

Filed a bug report with Apple, rdar number 5058948.

Comment 7

[Stuart Morgan]

If you mean about them not setting kSecNegativeItemAttr, I already did (5045684).

Comment 8

[Colin Barrett [:cbarrett]]

I also included that they should set kSecInvsibleItemAttr in my report (it's suggested by the kSecNegativeItemAttr docs for this very situation).