619257 - Password manager ignores name attributes when autofilling

Status: RESOLVED DUPLICATE of bug 623910

(Toolkit :: Password Manager, defect)

Description

[ohnishi-a]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; ja; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13 GTB7.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; ja; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13 GTB7.1


a.html :

<form method="POST" action="./b.html">
ID:<input type="text" name="ID" /><br />
PASS:<input type="password" name="PASS" /><br />
<input type="submit" />
</form>

b.html

<form method="POST" action="./a.html">
foo:<input type="text" name="foo" /><br />
bar:<input type="password" name="bar" /><br />
<input type="submit" />
</form>

saved account and password value on name="ID" and name="PASS" field will also auto fill into name="foo" and name="bar" field.


Reproducible: Always

Steps to Reproduce:
1. save account and password in any site
2. open another page on same site which has another password field
3. saved account and password will auto fill inst the another field
Actual Results:  
Saved value on name="ID" and name="PASS" field will also auto fill into name="foo" and name="bar" field.


Expected Results:  
The another field name="foo" and name="bar" must be empty.

moz_logins usernameField and passwordField value may ignored.

Comment 1

[Jesse Ruderman]

I remember this change being intentional, but I can't find where it was made.  Maybe it was done as part of the rewrite of the password manager from C++ into JavaScript (bug 469443)?

This shouldn't be a security problem.

Comment 2

[Mounir Lamouri (:mounir)]

Aren't we using the action value of the form for the password manager? I thought that the password manager is remembering where the form is submitted to and is auto-filling using that information regardless of the input names.

Comment 3

[Daniel Dawson]

As I read the code, it first tries to find the appropriate fields "so that the user isn't prompted for a master password without need" (LoginManager._fillForm() in nsLoginManager.js), i.e. if the form doesn't look like a valid login form, don't bother looking anything up in the database. That's all good and well, but couldn't it still make use of usernameField and passwordField from the nsILoginInfo when it does decide to fill the form? Something along the lines of:

Check to see if the names of the fields found in _getFormFields() match those from the database:
* If they match, proceed as normal (use the fields already found).
* If they don't match, try to find the fields named in the database, and make sure they are of the proper type:
  - If found, use those fields.
  - Otherwise, fall back on the ones determined at the outset.

It's not perfect, but it might be an improvement. What do you think?

Comment 4

[david.meritt]

I've been watching this bug because I want to use the password manager to fill a form with more than two fields, but the manager insists the first field which is neither user nor password should be the user name field. 

In the example below, my code is put in the first field where name should go.  It seems Daniel would make an improvement for this form with just a type check.  The rest should make it pretty robust.

<TABLE WIDTH=100%>
<TR><TD><FONT SIZE=-1>
Last Name</FONT></TD></TR><TR><TD>
<input name="name" id="name" value="" size="40" maxlength="40"></TD></TR>
<TR><TD><FONT SIZE=-1>
Library Card Number: (A "P" followed by <strong>nine numbers</strong>)</FONT></TD></TR>
<TR><TD>
<input name="code" id="code" type="PASSWORD" value="" size="40" maxlength="40"></TD></TR>
<TR><TD><FONT SIZE=-1>
Library Card PIN</FONT></TD></TR><TR><TD>
<input name="pin" id="pin" type="PASSWORD" value="" size="40" maxlength="40"></TD></TR>
</TABLE>