From bcdadf5947b3b351cbeb0024470631ee4db1961e Mon Sep 17 00:00:00 2001 From: epriestley Date: Wed, 13 Aug 2014 10:06:48 -0700 Subject: [PATCH] Add autocomplete=off to all non-login password forms Summary: Fixes T5579. Modern browsers aggressively autofill credentials, but at least Firefox still behaves slightly better with this flag. Hopefully other browsers will follow suit. Test Plan: Browsed various interfaces, verifying that login interfaces allow autocomplete while non-login interfaces do not. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5579 Differential Revision: https://secure.phabricator.com/D10253 --- .../provider/PhabricatorLDAPAuthProvider.php | 1 + .../provider/PhabricatorOAuthAuthProvider.php | 5 +++-- .../panel/DiffusionSetPasswordPanel.php | 3 +++ .../PassphraseCredentialEditController.php | 1 + .../PassphraseCredentialTypePassword.php | 3 ++- .../PhabricatorPeopleLdapController.php | 17 +++++++++-------- .../panel/PhabricatorSettingsPanelPassword.php | 2 ++ .../form/control/AphrontFormPasswordControl.php | 8 ++++++++ 8 files changed, 29 insertions(+), 11 deletions(-) diff --git a/src/applications/auth/provider/PhabricatorLDAPAuthProvider.php b/src/applications/auth/provider/PhabricatorLDAPAuthProvider.php index f5699295a7..c663f80fc1 100644 --- a/src/applications/auth/provider/PhabricatorLDAPAuthProvider.php +++ b/src/applications/auth/provider/PhabricatorLDAPAuthProvider.php @@ -388,6 +388,7 @@ final class PhabricatorLDAPAuthProvider extends PhabricatorAuthProvider { ->setName($key) ->setLabel($label) ->setCaption($caption) + ->setDisableAutocomplete(true) ->setValue($value); break; case 'textarea': diff --git a/src/applications/auth/provider/PhabricatorOAuthAuthProvider.php b/src/applications/auth/provider/PhabricatorOAuthAuthProvider.php index d2cc062a5b..8f7eae8aac 100644 --- a/src/applications/auth/provider/PhabricatorOAuthAuthProvider.php +++ b/src/applications/auth/provider/PhabricatorOAuthAuthProvider.php @@ -113,13 +113,14 @@ abstract class PhabricatorOAuthAuthProvider extends PhabricatorAuthProvider { $form ->appendChild( id(new AphrontFormTextControl()) - ->setLabel($id_label) + ->setLabel($id_label) ->setName($key_id) ->setValue($v_id) ->setError($e_id)) ->appendChild( id(new AphrontFormPasswordControl()) - ->setLabel($secret_label) + ->setLabel($secret_label) + ->setDisableAutocomplete(true) ->setName($key_secret) ->setValue($v_secret) ->setError($e_secret)) diff --git a/src/applications/diffusion/panel/DiffusionSetPasswordPanel.php b/src/applications/diffusion/panel/DiffusionSetPasswordPanel.php index a17241f4c3..c45acb7185 100644 --- a/src/applications/diffusion/panel/DiffusionSetPasswordPanel.php +++ b/src/applications/diffusion/panel/DiffusionSetPasswordPanel.php @@ -125,6 +125,7 @@ final class DiffusionSetPasswordPanel extends PhabricatorSettingsPanel { $form ->appendChild( id(new AphrontFormPasswordControl()) + ->setDisableAutocomplete(true) ->setLabel(pht('Current Password')) ->setDisabled(true) ->setValue('********************')); @@ -139,11 +140,13 @@ final class DiffusionSetPasswordPanel extends PhabricatorSettingsPanel { $form ->appendChild( id(new AphrontFormPasswordControl()) + ->setDisableAutocomplete(true) ->setName('password') ->setLabel(pht('New VCS Password')) ->setError($e_password)) ->appendChild( id(new AphrontFormPasswordControl()) + ->setDisableAutocomplete(true) ->setName('confirm') ->setLabel(pht('Confirm VCS Password')) ->setError($e_confirm)) diff --git a/src/applications/passphrase/controller/PassphraseCredentialEditController.php b/src/applications/passphrase/controller/PassphraseCredentialEditController.php index ea40551d73..b971013fdc 100644 --- a/src/applications/passphrase/controller/PassphraseCredentialEditController.php +++ b/src/applications/passphrase/controller/PassphraseCredentialEditController.php @@ -276,6 +276,7 @@ final class PassphraseCredentialEditController extends PassphraseController { if ($type->shouldShowPasswordField()) { $form->appendChild( id(new AphrontFormPasswordControl()) + ->setDisableAutocomplete(true) ->setName('password') ->setLabel($type->getPasswordLabel()) ->setDisabled($credential_is_locked) diff --git a/src/applications/passphrase/credentialtype/PassphraseCredentialTypePassword.php b/src/applications/passphrase/credentialtype/PassphraseCredentialTypePassword.php index 7f3ef9e6e1..bc55f1e4da 100644 --- a/src/applications/passphrase/credentialtype/PassphraseCredentialTypePassword.php +++ b/src/applications/passphrase/credentialtype/PassphraseCredentialTypePassword.php @@ -27,7 +27,8 @@ final class PassphraseCredentialTypePassword } public function newSecretControl() { - return new AphrontFormPasswordControl(); + return id(new AphrontFormPasswordControl()) + ->setDisableAutocomplete(true); } } diff --git a/src/applications/people/controller/PhabricatorPeopleLdapController.php b/src/applications/people/controller/PhabricatorPeopleLdapController.php index d373399e04..57b3383ad2 100644 --- a/src/applications/people/controller/PhabricatorPeopleLdapController.php +++ b/src/applications/people/controller/PhabricatorPeopleLdapController.php @@ -16,20 +16,21 @@ final class PhabricatorPeopleLdapController ->setUser($admin) ->appendChild( id(new AphrontFormTextControl()) - ->setLabel(pht('LDAP username')) - ->setName('username')) + ->setLabel(pht('LDAP username')) + ->setName('username')) ->appendChild( id(new AphrontFormPasswordControl()) - ->setLabel(pht('Password')) - ->setName('password')) + ->setDisableAutocomplete(true) + ->setLabel(pht('Password')) + ->setName('password')) ->appendChild( id(new AphrontFormTextControl()) - ->setLabel(pht('LDAP query')) - ->setCaption(pht('A filter such as (objectClass=*)')) - ->setName('query')) + ->setLabel(pht('LDAP query')) + ->setCaption(pht('A filter such as (objectClass=*)')) + ->setName('query')) ->appendChild( id(new AphrontFormSubmitControl()) - ->setValue(pht('Search'))); + ->setValue(pht('Search'))); $panel = id(new AphrontPanelView()) ->setHeader(pht('Import LDAP Users')) diff --git a/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php b/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php index 0c7fc81934..2aef196b96 100644 --- a/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php +++ b/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php @@ -155,12 +155,14 @@ final class PhabricatorSettingsPanelPassword $form ->appendChild( id(new AphrontFormPasswordControl()) + ->setDisableAutocomplete(true) ->setLabel(pht('New Password')) ->setError($e_new) ->setName('new_pw')); $form ->appendChild( id(new AphrontFormPasswordControl()) + ->setDisableAutocomplete(true) ->setLabel(pht('Confirm Password')) ->setCaption($len_caption) ->setError($e_conf) diff --git a/src/view/form/control/AphrontFormPasswordControl.php b/src/view/form/control/AphrontFormPasswordControl.php index b2a3f1ef50..9e37d7aa20 100644 --- a/src/view/form/control/AphrontFormPasswordControl.php +++ b/src/view/form/control/AphrontFormPasswordControl.php @@ -2,6 +2,13 @@ final class AphrontFormPasswordControl extends AphrontFormControl { + private $disableAutocomplete; + + public function setDisableAutocomplete($disable_autocomplete) { + $this->disableAutocomplete = $disable_autocomplete; + return $this; + } + protected function getCustomControlClass() { return 'aphront-form-control-password'; } @@ -14,6 +21,7 @@ final class AphrontFormPasswordControl extends AphrontFormControl { 'name' => $this->getName(), 'value' => $this->getValue(), 'disabled' => $this->getDisabled() ? 'disabled' : null, + 'autocomplete' => ($this->disableAutocomplete ? 'off' : null), 'id' => $this->getID(), )); }