Firefox password-issue in personal configuration

[onli]

There are a few reports of this issue in the forum: The Firefox-issue in the personal configuration. Firefox enters the password in there, and this results in an error-message by serendipity when trying to save.
I think that the error is caused by wrong behavior of serendipity rather than Firefox. What happens exactly: The old password is entered unchanged, the check-password-value is empty, so s9y shouldn't change the password - and it shouldn't display the error-message. This is almost the same exception as when no password is entered at all.

The current boolean-expression is:

Code: Select all

!empty($_POST['password']) && $_POST['check_password'] != $_SESSION['serendipityPassword'] && serendipity_passwordhash($_POST['check_password']) != $_SESSION['serendipityPassword']) {

The first part-expression is the exception. We can extend this to:

Code: Select all

!empty($_POST['password']) => ( !empty($_POST['password'] && $_POST['password'] != $_SESSION['serendipityPassword'] && serendipity_passwordhash($_POST['password']) != $_SESSION['serendipityPassword'] )

To be honest, I didn't test this expression, I'm not utterly sure the brackets are correct (but they should, according to the rules). I negated it (thanks De Morgan ) and worked with that easier to read one. In my (pretty basic) tests it worked fine, the Firefox-issue is no more. Maybe you want to have a look at it.
sincerely

[garvinhicking]

Hi!

We use autocomplete=off for the password field, so there shouldn't be an error?

I currently have no time to wrap my head around the logic, since it's potentially very dangerous to change and people currently should have no issues with it (due to autocomplete=off) I'm reluctant to change anytthing there right now...

Regards,
Garvin

[onli]

Hi Garvin
In 1.4.1 und 1.5 (alpha2) the firefox-issue is still present for me, but I'll check that. Really think you should have a look at it when you have the time - the logic in the simple-version is easier, that alone is an improvement to the negated current one.
sincerely

PS: Thought that autocomplete maybe is missing at my both installations because I'm using a custom admin-template. But it's also missing with the standard one. Besides that is autocomplete not a real standard, is it?

[onli]

*grml*

[onli]

push: In 1.5, there is still no "autocomplete=off" in this dialog and the issue is still present.
sincerely

[garvinhicking]

Hi!

autocomplete is container in the include/functions_installer.inc.php file for 'password' type input fields...?!?

Wher eexactly do you not see it?

Regards,
Garvin

[onli]

When I go in my local blog (serendipity 1.5 alpha 2, shall I test a newer one?), there to "Eigene Einstellungen" (personal configuration), a password is automatically entered into the password-field and I can't find any autocomplete-command in the html. Template is bulletproof.

[garvinhicking]

Hi!

Ah, damn! I confused this with the database user password. I now also committed it for the usual user password.

Regards,
Garvin

[onli]

Great