Open
Bug 502649
Opened 16 years ago
Updated 12 years ago
When starting a sudo session, Firefox passes your credentials to the form, despite it shouldn't
Categories
(Bugzilla :: Administration, task)
Tracking
()
NEW
People
(Reporter: LpSolit, Unassigned)
Details
Attachments
(1 file)
|
1.04 KB,
patch
|
mkanat
:
review-
|
Details | Diff | Splinter Review |
Firefox sees the "reason" field as the login field and so passes your credentials to the form. Adding autocomplete="off" to the password field prevents this.
I can reproduce with Bugzilla 3.2.3+ and higher.
Attachment #387010 -
Flags: review?(mkanat)
|
||
Updated•16 years ago
|
Attachment #387010 -
Flags: review?(mkanat) → review-
|
|
||
Comment 1•16 years ago
|
||
Comment on attachment 387010 [details] [diff] [review]
patch, v1
Actually, I rather like that it passes in my password. But I don't like that it puts the login in the other box--can we prevent just that?
|
Reporter | |
Comment 2•16 years ago
|
||
Based on my testing, it either fills both fields at once or none of them.
Also, I think the sudo feature is critical enough (probably the most powerful feature in Bugzilla) that you need to pass your password explicitly.
|
|
Reporter | |
Comment 3•16 years ago
|
||
(In reply to comment #2)
> that you need to pass your password explicitly.
... especially if your own account is compromised for some reason!
|
|
||
Comment 4•16 years ago
|
||
I don't know. By that logic, we should be protecting every editusers page with an explicit login as well. I actually never thought that the extra login should exist for sudo, so I don't really want to make it even less convenient to use.
|
|
Reporter | |
Comment 5•16 years ago
|
||
(In reply to comment #4)
> I actually never thought that the extra login should
> exist for sudo, so I don't really want to make it even less convenient to use.
I that case, the extra login should go away in 3.6. We could even do that for 3.4, eventually, but it's a bit too late for 3.2.
|
|
Reporter | |
Comment 6•16 years ago
|
||
joel, justdave, what's your opinion on this? Should the password field disappear or not? And if it remains, should the browser pass the password automatically?
|
|
Reporter | |
Updated•16 years ago
|
Target Milestone: Bugzilla 3.2 → Bugzilla 3.4
|
|
Reporter | |
Updated•16 years ago
|
Target Milestone: Bugzilla 3.4 → Bugzilla 3.8
|
|
Reporter | |
Updated•15 years ago
|
Target Milestone: Bugzilla 4.0 → Bugzilla 4.2
|
|
Reporter | |
Updated•14 years ago
|
Assignee: LpSolit → administration
|
|
||
Updated•14 years ago
|
Target Milestone: Bugzilla 4.2 → ---
|
|
Reporter | |
Updated•14 years ago
|
Status: ASSIGNED → NEW
You need to log in
before you can comment on or make changes to this bug.
Description
•