Description of problem: something in web UI makes Firefox password manager associate admin password with a field for upstream repos Version-Release number of selected component (if applicable): ~]# rpm -q satellite satellite-6.4.0-14.el7sat.noarch How reproducible: not every time, seems to happen the first time. Steps to Reproduce: 1. Create a custom product with a yum repository. 2. Select the checksum type, ensure upstream user name and password are clear, and save the changes. 3. Go back to the repository and change the checksum type. 4. Confirm the password field is clear and save the changes. 5. See asterisks in the password field and see in the audit logs the password was set. Actual results: Firefox password manager injected admin password after save button was clicked Expected results: Firefox password manager should not associate admin password with a field for upstream repos. Can the web UI be improved to prevent this confusing of Firefox? Additional info: It seems suboptimal that Firefox injects a password into a field even though it did not match on the name field (if that is what is happening).
Hello One workaround to these problems of your admin password being added in the web UI where it is not wanted is to use Private Browsing mode. Thank you
I would like to add a comment here, since I don't feel the urgency has been conveyed properly from my Red Hat support case. If you want to see the screenshots, they are in case #02262021. Here is the original case, created Nov 27 2018: ==================================== What problem/issue/behavior are you having trouble with? What do you expect to see? When discovering repositories with Satellite, the "upstreamUsername" and "upstreamPassword" fields are loaded but not visible (set to ng-hide). [screenshot-1.png] Google Chrome auto-fills these fields if the user has saved login information for the Satellite web interface, even when hidden. [screenshot-3.png] [screenshot-4.png] After selecting the repos to sync/mirror, the username and password is saved as the upstream credentials. [screenshot-5.png] This results in the username and password for the user being sent to the 3rd party servers, which will probably in all cases be administrative credentials to Satellite and/or active directory credentials and usually plaintext HTTP, unless the user specifically specifies HTTPS for the repository. I have tested and verified this in Satellte 6.3 and 6.4 using tcpdump and Wireshark. [screenshot-6.png] The solution to this (at least for Google Chrome) would be adding the 'autocomplete="new-password"' attribute to the username & password fields. See: https://bugs.chromium.org/p/chromium/issues/detail?id=468153 And: https://caniuse.com/#search=autocomplete Where are you experiencing the behavior? What environment? Red Hat Satellite 6.4 and 6.3 tested. When does the behavior occur? Frequently? Repeatedly? At certain times? Reliably every time a repo is discovered and created. ==================================== This auto-fill issue is also present on many other pages in Satellite. For example when editing Host Groups. Steps to reproduce that: 1) use Google Chrome, latest version 2) save your username & password for satellite 3) create a new hostgroup (name: test, lifecycle env: any, content view: any, content source: any) 4) save hostgroup 5) chrome should now ask "Save password for xxxxx?" 6) edit the hostgroup again 7) chrome should now try to auto-fill "Compute profile, Puppet Master, Puppet CA, OpenSCAP Capsule" with your saved username
The Satellite Team is attempting to provide an accurate backlog of bugzilla requests which we feel will be resolved in the next few releases. We do not believe this bugzilla will meet that criteria, and have plans to close it out in 1 month. This is not a reflection on the validity of the request, but a reflection of the many priorities for the product. If you have any concerns about this, feel free to contact Red Hat Technical Support or your account team. If we do not hear from you, we will close this bug out. Thank you.
This is no longer a bug as of at least Satellite 6.10. Please reopen this BZ if there is still an issue with passwords being auto-filled where they shouldn't be.