do not accidentally show password as username

fix #7649 Test Plan: 1. automated tests for notificationBar should pass 2. changing the password on https://reg.ebay.com/reg/ChangePwd and clicking 'submit' should not show the current password in the notification bar
brave · Mar 11, 2017 · 56537e5 · 56537e5
1 parent 58b98a5
commit 56537e5
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 0 deletions.
diff --git a/app/extensions/brave/content/scripts/passwordManager.js b/app/extensions/brave/content/scripts/passwordManager.js
@@ -198,6 +198,16 @@ if (chrome.contentSettings.passwordManager == 'allow') {
     // Last resort: find the first text input in the form
     username = username || form.querySelector('input[type=text i]')
 
+    // If the username turns out to be a password field, just ignore it so
+    // we don't show the password in plaintext.
+    if (username) {
+      let autocomplete = username.getAttribute('autocomplete')
+      if (username.getAttribute('type') === 'password' ||
+        (autocomplete && autocomplete.includes('password'))) {
+        username = null
+      }
+    }
+
     // If not a submission, autofill the first password field and ignore the rest
     if (!isSubmission || passwords.length === 1) {
       return [username instanceof HTMLInputElement ? username : null, passwords[0], null]

diff --git a/test/components/notificationBarTest.js b/test/components/notificationBarTest.js
@@ -19,6 +19,7 @@ describe('notificationBar', function () {
     this.loginUrl3 = Brave.server.url('login3.html')
     this.loginUrl4 = Brave.server.url('login4.html')
     this.loginUrl5 = Brave.server.url('login5.html')
+    this.loginUrl6 = Brave.server.url('login6.html')
     yield setup(this.app.client)
   })
 
@@ -105,6 +106,19 @@ describe('notificationBar', function () {
       }).click('button=No')
   })
 
+  it('does not include a password in the notification bar', function * () {
+    yield this.app.client
+      .tabByIndex(0)
+      .loadUrl(this.loginUrl6)
+      .windowByUrl(Brave.browserWindowUrl)
+      .waitForExist(notificationBar)
+      .waitUntil(function () {
+        return this.getText(notificationBar).then((val) => {
+          return val.includes('your password') && !val.includes('secret')
+        })
+      }).click('button=No')
+  })
+
   it('autofills remembered password on login form', function * () {
     yield this.app.client
       .tabByIndex(0)

diff --git a/test/fixtures/login6.html b/test/fixtures/login6.html
@@ -0,0 +1,21 @@
+<body>
+  <script>
+      window.onload = window.setTimeout(function () {
+          if (!document.querySelector('#password').value) {
+              document.querySelector('#password').value = 'secret'
+              document.querySelector('#old-password').value = 'secret'
+              document.querySelector('#new-password').value = 'secret2'
+              document.querySelector('#submit').click()
+          }
+      }, 200)
+  </script>
+<form action="/blah" name="ChangePassForm" id="ChangePassForm">
+    <input type="hidden" id="countryId" name="countryId" value="1" />
+    <input type="hidden" name="MfcISAPICommand" value="HandleNewPassword">
+    <input type="hidden" name="srt" value="01"><div class="rclSir"></div>
+    <input id='password' type="password" name="user" />
+    <input id='old-password' type="password" autocomplete="current-password" />
+    <input id='new-password' type="password" autocomplete="new-password" />
+    <input id="submit" type="submit" value="Change password" />
+</form>
+</body>