Fix TOTP detection that are password fields (like HackerOne) #2333

bwbroersma · 2024-09-07T12:48:13Z

droidmonkey · 2024-09-07T12:51:58Z

This needs to be validated for regressions before merging.

varjolintu · 2024-09-07T12:52:10Z

keepassxc-browser/content/totp-field.js

@@ -1,7 +1,7 @@
 'use strict';

-const ignoreRegex = /(bank|coupon|postal|user|zip).*code|comment|author|error/i;
-const ignoredTypes = [ 'email', 'password', 'username' ];


I'm not sure why password was removed. Standard TOTP fields aren't password fields, so this should be kept.

See #2332 solution one, sometimes TOTP fields do have type=password.
Another solution would be the second one (an explicit accept), then the type!=password would also be bypassed.

Instead of making this change global, I'd suggest adding an exception for this site's TOTP detection to the sites.js.

Fix TOTP detection that are password fields (like HackerOne).

cde0aa8

Fixes keepassxreboot#2332

varjolintu reviewed Sep 7, 2024

View reviewed changes

varjolintu added bug 2fa labels Sep 7, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix TOTP detection that are password fields (like HackerOne) #2333

Fix TOTP detection that are password fields (like HackerOne) #2333

bwbroersma commented Sep 7, 2024

droidmonkey commented Sep 7, 2024

varjolintu Sep 7, 2024

bwbroersma Sep 7, 2024

varjolintu Oct 5, 2024

Fix TOTP detection that are password fields (like HackerOne) #2333

Are you sure you want to change the base?

Fix TOTP detection that are password fields (like HackerOne) #2333

Conversation

bwbroersma commented Sep 7, 2024

droidmonkey commented Sep 7, 2024

varjolintu Sep 7, 2024

Choose a reason for hiding this comment

bwbroersma Sep 7, 2024

Choose a reason for hiding this comment

varjolintu Oct 5, 2024

Choose a reason for hiding this comment