Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(54)

Issue 2306513002: Reland "Filter out credentials with non-matching schemes" (Closed)

Created:
4 years, 3 months ago by vabr (Chromium)
Modified:
4 years, 3 months ago
Reviewers:
dvadym
CC:
chromium-reviews, gcasto+watchlist_chromium.org, vabr+watchlistpasswordmanager_chromium.org
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Reland "Filter out credentials with non-matching schemes" The original CL: https://codereview.chromium.org/2298733002 The revert: https://codereview.chromium.org/2298263002 The original CL caused failures on Win7 debug bots, which are not present in the CQ trybots set. The issue was genuine: the newly introduced code modified a vector and invalidated some iterators used later. The patch set 1 here is the reverted change, patch sets 2+ are fixes. The fix here also replaces "non-relevant" with "irrelevant", to improve the language, and does some further restructuring of the code based on reviewer feedback from dvadym@. Original description: Filter out credentials with non-matching schemes PasswordFormManager::ProcessMatches currently happily accepts credentials from PasswordStore with a different PasswordForm::Scheme than the observed form has. However, it still has a DCHECK against it later (in the Autofill* methods), so it is clearly not expecting these, rather than mixing the schemes being by design. And it should not be by design. Especially, if the saved credential is a non-HTML one, and should be filled in a HTML form. Mixing them makes the non-HTML credential vulnerable against (injected attacker's) JavaScript accessing them. This CL filters out credentials with non-matching scheme from the batch coming from the PasswordStore. Given the absence of DCHECKs in release builds, this actually changes the behaviour for Chrome users, but the change is a desired one. BUG=640897 Committed: https://crrev.com/639b09a35f402f1e49e0a9ef7cb72705abd96421 Cr-Commit-Position: refs/heads/master@{#416536}

Patch Set 1 : Reverted patch #

Patch Set 2 : Fix #

Patch Set 3 : Just rebased #

Patch Set 4 : Restructured + more tests #

Total comments: 5
Unified diffs Side-by-side diffs Delta from patch set Stats (+140 lines, -58 lines) Patch
M components/password_manager/core/browser/password_form_manager.h View 1 2 3 2 chunks +8 lines, -1 line 0 comments Download
M components/password_manager/core/browser/password_form_manager.cc View 1 2 3 2 chunks +70 lines, -57 lines 5 comments Download
M components/password_manager/core/browser/password_form_manager_unittest.cc View 1 2 3 3 chunks +62 lines, -0 lines 0 comments Download

Messages

Total messages: 24 (14 generated)
vabr (Chromium)
Hi Vadym, Please review this patch. I was able to reproduce the failures on my ...
4 years, 3 months ago (2016-09-01 10:13:36 UTC) #4
vabr (Chromium)
Hi Vadym, A gentle ping: could you please review the diff between patch sets 2 ...
4 years, 3 months ago (2016-09-02 16:30:16 UTC) #8
vabr (Chromium)
Hi Vadym, I tried to address your comments from our offline discussion. Please review the ...
4 years, 3 months ago (2016-09-02 18:32:48 UTC) #12
dvadym
LGTM, thanks Vaclav for refactoring this, now it looks much better! https://codereview.chromium.org/2306513002/diff/60001/components/password_manager/core/browser/password_form_manager.cc File components/password_manager/core/browser/password_form_manager.cc (right): ...
4 years, 3 months ago (2016-09-05 10:58:05 UTC) #15
vabr (Chromium)
Thanks, Vadym for the review. Please see my response to your second comment below, there ...
4 years, 3 months ago (2016-09-05 11:39:10 UTC) #16
dvadym
https://codereview.chromium.org/2306513002/diff/60001/components/password_manager/core/browser/password_form_manager.cc File components/password_manager/core/browser/password_form_manager.cc (right): https://codereview.chromium.org/2306513002/diff/60001/components/password_manager/core/browser/password_form_manager.cc#newcode1184 components/password_manager/core/browser/password_form_manager.cc:1184: blacklisted_form.origin.GetOrigin() != On 2016/09/05 11:39:10, vabr (Chromium) wrote: > ...
4 years, 3 months ago (2016-09-05 11:48:37 UTC) #17
vabr (Chromium)
On 2016/09/05 11:48:37, dvadym wrote: > https://codereview.chromium.org/2306513002/diff/60001/components/password_manager/core/browser/password_form_manager.cc > File components/password_manager/core/browser/password_form_manager.cc (right): > > https://codereview.chromium.org/2306513002/diff/60001/components/password_manager/core/browser/password_form_manager.cc#newcode1184 > ...
4 years, 3 months ago (2016-09-05 11:49:50 UTC) #18
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2306513002/60001
4 years, 3 months ago (2016-09-05 11:50:23 UTC) #20
commit-bot: I haz the power
Committed patchset #4 (id:60001)
4 years, 3 months ago (2016-09-05 12:38:18 UTC) #22
commit-bot: I haz the power
4 years, 3 months ago (2016-09-05 12:39:44 UTC) #24
Message was sent while issue was closed.
Patchset 4 (id:??) landed as
https://crrev.com/639b09a35f402f1e49e0a9ef7cb72705abd96421
Cr-Commit-Position: refs/heads/master@{#416536}

Powered by Google App Engine
This is Rietveld 408576698