Skip to content

Fix TOTP detection that are password fields (like HackerOne) #2333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Fix TOTP detection that are password fields (like HackerOne) #2333

wants to merge 1 commit into from
+3 −3

Conversation

bwbroersma
Copy link
Contributor

Fixes #2332

@droidmonkey
Copy link
Member

This needs to be validated for regressions before merging.

varjolintu
varjolintu reviewed Sep 7, 2024
View reviewed changes
keepassxc-browser/content/totp-field.js
@@ -1,7 +1,7 @@
'use strict';

const ignoreRegex = /(bank|coupon|postal|user|zip).*code|comment|author|error/i;
const ignoredTypes = [ 'email', 'password', 'username' ];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure why password was removed. Standard TOTP fields aren't password fields, so this should be kept.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See #2332 solution one, sometimes TOTP fields do have type=password.
Another solution would be the second one (an explicit accept), then the type!=password would also be bypassed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of making this change global, I'd suggest adding an exception for this site's TOTP detection to the sites.js.

varjolintu
varjolintu requested changes Nov 11, 2024
View reviewed changes
Copy link
Member

@varjolintu varjolintu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of making this change global, I'd suggest adding an exception for this site's TOTP detection to the sites.js.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@varjolintu varjolintu varjolintu requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
2fa bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

HackerOne TOTP is instead seen as password field
3 participants
@bwbroersma @droidmonkey @varjolintu