Closed Bug 785705 Opened 13 years ago Closed 13 years ago

Bug report's title can be saved by browser's autocomplete feature.

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Product:
bugzilla.mozilla.org
Component:
Extensions
Version:
Production
Type:
defect
Priority:
Not set
Severity:
trivial

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: netfuzzerr, Unassigned)

References

Details

(Keywords: sec-low, wsec-disclosure)

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.6 (KHTML, like Gecko) Chrome/23.0.1243.2 Safari/537.6 Steps to reproduce: Hi, On page https://bugzilla.mozilla.org/enter_bug.cgi#h=bugForm%7CFirefox is enabled the autocomplete feature on bug title. This can allows attacker to retrieve the bug title by victim openning a specially created page. Reproduce: 1. Report some bug in https://bugzilla.mozilla.org/enter_bug.cgi#h=bugForm%7CFirefox. 2. Now open data:text/html,<input name="short_desc" value=""> 3. Double click and enter. 4. See your bug title. A fix to this can be add the attribute "autocomplete=off". Cheers, Mario
The box already has autocomplete=off, and no bug title is listed there. The box lists products and components.
Assignee: general → nobody
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Component: Bugzilla-General → General
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Resolution: --- → INVALID
Version: unspecified → Production
Aff... Report on https://bugzilla.mozilla.org/enter_bug.cgi#h=bugForm%7CAdd-on+SDK. AFTER YOU REPORT THE BUG, DOUBLE CLICK ON THE BOX AGAIN SEE THE AUTOCOMPLETE. Source ==================== ... <tr class="odd"> <td class="label">Summary:</td> <td width="100%" colspan="2"> <input name="short_desc" id="short_desc" class="textInput" spellcheck="true"> </td> .... ==================== WHERE'S THE autocompleteoff ?
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
mario's talking about the guided bug entry: https://bugzilla.mozilla.org/enter_bug.cgi?format=guided#h=bugForm|Firefox most fields on bugzilla don't have autocomplete disabled, and to do so would be detrimental to the user experience. i don't think showing a user's mru list is a security issue, nor is setting autocomplete=off something we want to do.
Severity: normal → trivial
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago13 years ago
Component: General → Extensions: GuidedBugEntry
Resolution: --- → INVALID
Are you sure? How about URL field that can contains the poc URL for a security? You really want allow autocomplete in this field? (In reply to Byron Jones ‹:glob› from comment #3) > mario's talking about the guided bug entry: > https://bugzilla.mozilla.org/enter_bug.cgi?format=guided#h=bugForm|Firefox > > most fields on bugzilla don't have autocomplete disabled, and to do so would > be detrimental to the user experience. i don't think showing a user's mru > list is a security issue, nor is setting autocomplete=off something we want > to do.
I'd be annoyed if this feature went away. I tend to file a lot of repetitive bugs, and having bug summaries autocomplete lets me pick something close and edit it to fit saving me a lot of typing. Most folks filing security bugs will have already filed more than one bug before, and once there's more than one item in your autocomplete buffer you have to explicitly pick something for it to fill it in. The risk here is really really small, in my opinion. CCing a few people who know these things better than me in hopes of getting some additional comment.
("The risk here is really really small..." - lol). Look, autocomplete stuff can be triggered by javascript, so just a click to get user's data. I keep don't understanding why you think this is "low". (In reply to Dave Miller [:justdave] from comment #5) > I'd be annoyed if this feature went away. I tend to file a lot of > repetitive bugs, and having bug summaries autocomplete lets me pick > something close and edit it to fit saving me a lot of typing. > > Most folks filing security bugs will have already filed more than one bug > before, and once there's more than one item in your autocomplete buffer you > have to explicitly pick something for it to fill it in. The risk here is > really really small, in my opinion. > > CCing a few people who know these things better than me in hopes of getting > some additional comment.
I'd rather fix that in the browser, perhaps by making form autocomplete be per-site. See bug 381681.
Keywords: sec-low, wsec-disclosure
Resolution: INVALID → WONTFIX
It won't fix with others browsers. (In reply to Jesse Ruderman from comment #7) > I'd rather fix that in the browser, perhaps by making form autocomplete be > per-site. See bug 381681.
Component: Extensions: GuidedBugEntry → Extensions
You need to log in before you can comment on or make changes to this bug.