Univention Bugzilla – Bug 46198
Autofill sets password during computer account creation
Last modified: 2019-04-17 11:19:31 CEST
Task #9985 UCS Technical Training - go to http://$master/umc/ - login ad Administrator (and save the credentials within Firefox) - Create a computers/DC Backup account before joining using the wizard. - creation fails with "Passwort mismatch" - going to the "extended view" shows that "advanced setting"/"account"/"password" is auto-filled, but "password (again)" is not. Doesn't seem to happen when http://localhost/umc/ is used. Firefox is used. The "root certificate" for the domain was imported to browser.
Again: 2× UCS Technical Training 2019-10-09 wiht UCS-4.3-2
Feedback from one of our customers: > [...] mein Chrome neuerdings unsinnigen Autofill in der UMC versucht. Konkret > versucht er bei Rechnerobjekten, mein Passwort für $ADMINISTRATOR_USER in das > (linke) Passwort-Feld des Rechners einzutragen und den Benutzernamen aus > irgendwelchen Gründen in das MAC-Feld bei den DHCP-Einträgen. See also the attached screenshot.
Created attachment 9748 [details] UMC computers/*
Created attachment 9834 [details] Set autofill="new-password" I accidentally stubled over this today: <https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#autofill> A short test shows that the new attribute is set, but one one our UMC JS gurus should take a look.
(In reply to Philipp Hahn from comment #4) > Created attachment 9834 [details] > Set autofill="new-password" > > I accidentally stubled over this today: > <https://html.spec.whatwg.org/multipage/form-control-infrastructure. > html#autofill> > > A short test shows that the new attribute is set, but one one our UMC JS > gurus should take a look. Thank you! This looks promising.
This also happens for the IP *address* when editing a computers object in UDM, where Chromium offers to fill in my *street* address. Also for MAC- and IP-Address in the UMC wizard to create a new computer object. Also for the Computer *name*. Also for DHCP pool *name* and *addresses*. Also for UMC Network *name* and *addresses*.
*** Bug 48795 has been marked as a duplicate of this bug. ***
From bug 48795: > I stored my Administrator password in chrome. If I open an existing user object, > chrome auto fills the first password field with my Administrator credentials. > Since I do not want to modify the users password, I remove the password from the > first PW field and do my desired changes. Afterwards I try to save my changes, > but UMC complains that an empty password field is not allowed. > → in chrome, it is not possible to modify users without changing their password, > if a password has been stored in chrome See also the attached video/animated gif: https://forge.univention.org/bugzilla/attachment.cgi?id=9865 IMHO this renders the affected UDM modules as unusable for daily work since it is either not possible to store objects or the autofill destroys/modifies information or you have to manually correct all autofills.
[4.4-0] cb8b794f41 Bug #46198 UMC: Fix password auto-fill management/univention-management-console/debian/changelog | 10 ++++++++-- management/univention-management-console/www/login/index.html | 10 +++++----- management/univention-management-console/www/login/login.html | 4 ++-- management/univention-web/debian/changelog | 6 ++++++ management/univention-web/js/widgets/PasswordBox.js | 11 +++++++---- saml/univention-saml/debian/changelog | 6 ++++++ .../univentiontheme/themes/univention/core/loginuserpass.php | 4 ++-- .../debian/changelog | 6 ++++++ .../umc/js/uvmm/DomainPage.js | 6 +----- 9 files changed, 43 insertions(+), 20 deletions(-) Package: univention-management-console Version: 11.0.3-5A~4.4.0.201902281315 Branch: ucs_4.4-0 Package: univention-web Version: 3.0.2-4A~4.4.0.201902281318 Branch: ucs_4.4-0 Package: univention-saml Version: 6.0.1-2A~4.4.0.201902281324 Branch: ucs_4.4-0 Package: univention-virtual-machine-manager-daemon Version: 8.0.1-3A~4.4.0.201902281326 Branch: ucs_4.4-0 [4.4-0] 1585d4534d Bug #46198 UMC: Fix password auto-fill YAML doc/changelog/changelog-4.4-0.xml | 3 +++ 1 file changed, 3 insertions(+) QA: I committed my patch, but it does not work: Chromium still wants to fill in its values. Johannes has a patch additionally adding + _setAutocompleteAttr: { node: 'focusNode', type: 'attribute' } and claims it as working. I fear that all the other UMC input fields named "name", "address" also need annotations to turn auto-completion off - see comment #6. As I'm no JS guru, I'm re-assigning this bug to Johannes.
Also happens in the UCS@school "Benutzer (Schulen)" wizard. When opening an existing user: * the email field is filled with "Administrator" * the password field is filled with "univention" Chrome Version 72.0.3626.119 (Official Build) (64-bit)
Happens only with Chrome stable (72), not with beta (73) or unstable (74).
autocomplete="off" is ignored for autofill by (some) browsers because it is a desired feature. There is no other native way to deactivate it so we have to do some workarounds. It is possible that these will not work in upcoming browser versions. 0e8ff9f1ba Bug #46198: debian changelog 3c5b0c46ae Bug #46198: prevent autofill as default in TextBox and PasswordBox Successful build Package: univention-web Version: 3.0.2-5A~4.4.0.201902281845
(In reply to Sönke Schwardt-Krummrich from comment #8) > From bug 48795: > > I stored my Administrator password in chrome. If I open an existing user object, > chrome auto fills the first password field with my Administrator credentials. > > Since I do not want to modify the users password, I remove the password from the > first PW field and do my desired changes. Afterwards I try to save my changes, > > but UMC complains that an empty password field is not allowed. > > → in chrome, it is not possible to modify users without changing their password, > if a password has been stored in chrome > > See also the attached video/animated gif: > https://forge.univention.org/bugzilla/attachment.cgi?id=9865 > > IMHO this renders the affected UDM modules as unusable for daily work since > it is either not possible to store objects or the autofill destroys/modifies > information or you have to manually correct all autofills. should be fixed with: e77fa800b5 Bug #46198: debian changelog 7ae14681de Bug #46198: use autocomplete='new-password' for browsers that support it
One option that could save a lot of headache would be to not use type="password" for non-login password boxes and replace the input with stars or dots
(In reply to Johannes Keiser from comment #14) > One option that could save a lot of headache would be to not use > type="password" for non-login password boxes and replace the input with > stars or dots Let's think about this when we implement Bug #46888.
OK: Chrome 71 OK: Chrome 72 OK: Chrome 73 OK: Chrome 74 OK: Firefox (btw, firefox adds a nice dropdown which allows one to select the stored password). ~OK: Edge 15/18 (does not even offer to store the password) OK: Opera OK: changelog entry
*** Bug 35457 has been marked as a duplicate of this bug. ***
UCS 4.4 has been released: https://docs.software-univention.de/release-notes-4.4-0-en.html https://docs.software-univention.de/release-notes-4.4-0-de.html If this error occurs again, please use "Clone This Bug".