New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 818133 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

MacViews: views::Textfield doesn't enable secure input for password in HTTP Authentication prompt

Reported by mbl...@gmail.com, Mar 2 2018

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.168 YaBrowser/18.3.1.608 (beta) Yowser/2.5 Safari/537.36

Steps to reproduce the problem:
1. Go to https://jigsaw.w3.org/HTTP/Basic/
2. Focus the password text field

What is the expected behavior?
The secure text input mode should be enabled while the password field is in focus.

The most user-visible effect is that only the ASCII-compatible keyboard layouts are enabled.

What went wrong?
MacViews' Textfield doesn't know how to enable platform-specific secure input text mode.

Did this work before? No 

Chrome version: 64.0.3282.168  Channel: stable
OS Version: OS X 10.13.3
Flash Version: 

Proposed fix: https://chromium-review.googlesource.com/c/chromium/src/+/943064
 
Components: Blink>Forms>Text
Labels: Security_Severity-Low Security_Impact-Stable
Interesting. This sounds like it has a different root cause but the same impact as  Issue 677220 . If the proposed fix is effective, perhaps some piece of it will fix that issue as well.

Comment 2 by mbl...@gmail.com, Mar 2 2018

Yeah, I noticed that bug as well and tried to file it as a separate issue. Currently my fix doesn't call EnableSecureEventInput(), but as I've read the Apple Technote on the topic I discovered that my current solution is only half-baked. Will try to fix all of them in my CL today.

BTW, Am I eligible to participate in https://www.google.com/about/appsecurity/chrome-rewards/index.html? :-)
Components: -Blink>Forms>Text Internals>Network>Auth Internals>Views
Summary: MacViews: views::Textfield doesn't enable secure input for password in HTTP Authentication prompt (was: MacViews: views::Textfield doesn't enable secure text input for password entry)
Ah, actually I suspect that the root cause of the 677220 problem will not impact the HTTP Authentication prompt, because the latter is coming from the unsandboxed browser process.

Comment 4 by mbl...@gmail.com, Mar 2 2018

The root cause of 677220 didn't lead for this issue to happen (this issue happened because noone thought that views::Textfield should enable the secure input mode in the first place), but I fixed it as well. Now secure text input is enabled both for HTTP Auth prompt and password fields on webpages.
Project Member

Comment 5 by bugdroid1@chromium.org, Mar 12 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4

commit f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4
Author: Michail Pishchagin <mblsha@yandex-team.ru>
Date: Mon Mar 12 17:07:26 2018

MacViews: Enable secure text input for password Textfields.

In Cocoa the NSTextInputContext automatically enables secure text input
when activated and it's in the secure text entry mode.

RenderWidgetHostViewMac did the similar thing for ages following the
WebKit example.

views::Textfield needs to do the same thing in a fashion that's
sycnrhonized with RenderWidgetHostViewMac, otherwise the race conditions
are possible when the Textfield gets focus, activates the secure text
input mode and the RWHVM loses focus immediately afterwards and disables
the secure text input instead of leaving it in the enabled state.

BUG= 818133 , 677220 

Change-Id: I6db6c4b59e4a1a72cbb7f8c7056f71b04a3df08b
Reviewed-on: https://chromium-review.googlesource.com/943064
Commit-Queue: Michail Pishchagin <mblsha@yandex-team.ru>
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#542517}
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/content/browser/renderer_host/render_widget_host_view_mac.h
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/content/browser/renderer_host/render_widget_host_view_mac.mm
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/content/browser/renderer_host/render_widget_host_view_mac_unittest.mm
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/editing/FrameSelection.cpp
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/editing/FrameSelection.h
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/html/forms/HTMLInputElement.cpp
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/html/forms/HTMLInputElement.h
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/html/forms/InputType.cpp
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/html/forms/InputType.h
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/html/forms/PasswordInputType.cpp
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/html/forms/PasswordInputType.h
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/platform/BUILD.gn
[delete] https://crrev.com/59abdb5ec27148747bc0a6633178ce5a661b6f35/third_party/WebKit/Source/platform/SecureTextInput.cpp
[delete] https://crrev.com/59abdb5ec27148747bc0a6633178ce5a661b6f35/third_party/WebKit/Source/platform/SecureTextInput.h
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/ui/base/BUILD.gn
[add] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/ui/base/cocoa/secure_password_input.h
[add] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/ui/base/cocoa/secure_password_input.mm
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/ui/views/controls/textfield/textfield.cc
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/ui/views/controls/textfield/textfield.h
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/ui/views/controls/textfield/textfield_unittest.cc

Is this now "Fixed"?

Comment 7 by mbl...@gmail.com, Apr 12 2018

Yep. But I created this issue using wrong account that doesn't have the bug edit permission.

Comment 8 by rsesek@chromium.org, Apr 12 2018

Labels: M-67
Owner: mblsha.y...@gmail.com
Status: Fixed (was: Unconfirmed)
Project Member

Comment 9 by sheriffbot@chromium.org, Apr 13 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Cc: awhalley@chromium.org
Labels: -reward-topanel reward-0
I'm afraid the VRP panel declined to reward for this bug. Many thanks for the report. How would you like to be credited in Chrome release notes?

Comment 12 by mbl...@gmail.com, Apr 22 2018

"Michail Pishchagin (Yandex)" or something like that should be fine.
Thanks Michail!
Labels: Release-0-M67
Labels: CVE-2018-6147 CVE_description-missing
Project Member

Comment 16 by sheriffbot@chromium.org, Jul 20

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment