[Bug] Password sometimes exposed in URL after login [sf#44]

[jpatokal]

Reported by jpatokal on 2009-12-15 22:50 UTC
On Safari only, the password is intermittently exposed as a plaintext parameter in the URL after logging in.

[jpatokal]

Commented by jpatokal on 2009-12-15 22:54 UTC
Sample URL:
http://openflights.org/?name=shreeni&pw=xxxxxxxx&challenge=b1be8ad7aac2428d4c983a8ece46f5cb

Doubly weird since the password is never sent out in any form, and even the challenge is POSTed. May be related to the language switch refresh...?

[jpatokal]

Commented by jpatokal on 2010-04-05 10:35 UTC
Also reported as occurring on Chrome 5.0.342.8. Issue itself remains as mysterious as ever, language does not appear to have anything to do with it.

[jpatokal]

Updated by jpatokal on 2010-04-05 10:35 UTC

• priority: 7 --> 9
• summary: Safari: Password sometimes exposed in URL after login --> Password sometimes exposed in URL after login

[jpatokal]

Commented by jpatokal on 2010-08-22 11:38 UTC
Finally figured this out -- Chrome and Safari both trigger automatic submits when Enter is pressed inside a form, but tab or clicking the "Login" button doesn't. Fixed now!

http://stackoverflow.com/questions/3541289/safari-and-chrome-adding-form-values-to-url

[jpatokal]

Updated by jpatokal on 2010-08-22 11:38 UTC

• status: open --> closed-fixed