Closed Bug 806142 Opened 7 years ago Closed 7 years ago

Password saved with * when showing password too quickly


(Firefox OS Graveyard :: General, defect, P3)

Gonk (Firefox OS)


(blocking-basecamp:+, firefox17 wontfix, firefox18 fixed, firefox19 fixed)

blocking-basecamp +
Tracking Status
firefox17 --- wontfix
firefox18 --- fixed
firefox19 --- fixed


(Reporter: Mardak, Assigned: cpeterson)



(Keywords: b2g-testdriver, unagi)


(1 file)

If you hit "show password," e.g., from entering a wifi password, after typing a letter but before that last letter changes to a "*" the visible password is shown with the "*" and is actually saved with the "*".

In a password field that also as "show password"
1) quickly type "password"
2) tap "show password" before "d" becomes a "*"
3) field shows "password" temporarily
4) field then changes to "passwor*"

If the wifi password was actually "password" saving it as is fails.
How is gaia switching between *'s and normal letters? Actually, how is b2g implementing password fields in general?

In short, is this a platform bug or a gaia bug?
blocking-basecamp: --- → ?
blocking-basecamp: ? → +
Priority: -- → P3
Assignee: nobody → yurenju
Only change HTML input type from 'password' to 'text' in wifi.js:667,
this is a gecko issue.

Change Component to General.
Assignee: yurenju → nobody
Component: Gaia → General
Brad, could you take a look at this. I suspect we simply need to cancel the timer when we switch type.
Assignee: nobody → blassey.bugs
Blocks: 514212
Assignee: blassey.bugs → cpeterson
OS: Mac OS X → Gonk (Firefox OS)
Hardware: x86 → All
Only hide password characters if the text editor is (still) a password editor.

B2G exposed an editor race condition. On platforms that echo password characters as they are typed, the plaintext editor schedules a timer to replace the typed character with a symbol. On B2G, this delay is 1500 ms. JS can programatically change the editor's password flag after the password timer is scheduled but before it fires.

My patch just adds an IsPasswordEditor() check to the password timer's callback. I investigated a solution that would cancel the password timer if the password flag changed, but AFAICT it required ugly code such as overriding nsEditor::SetFlag() and downcasting an nsIEditRules pointer.
Attachment #679005 - Flags: review?(ehsan)
Attachment #679005 - Flags: review?(ehsan) → review+
Comment on attachment 679005 [details] [diff] [review]

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 514212
User impact if declined: On B2G and Android, password text can be garbled if JS toggles a text input form's password type.
Testing completed (on m-c, etc.): Local testing on B2G. This bug is very easy to reproduce in B2G's Wi-Fi Settings menu.
Risk to taking this patch (and alternatives if risky): Low risk because this code path is used on desktop Firefox (because the desktop hides password text without any delay).
String or UUID changes made by this patch: None
Attachment #679005 - Flags: approval-mozilla-aurora?
Closed: 7 years ago
Resolution: --- → FIXED
Comment on attachment 679005 [details] [diff] [review]

bb+ bugs don't need approval
Attachment #679005 - Flags: approval-mozilla-aurora?
You need to log in before you can comment on or make changes to this bug.