[fix] autocomplete honeypot field to trick firefox: prevent auto-filing of non-needed form passwords.

2016-01-14 16:24:00 +01:00 · 2016-01-14 16:24:00 +01:00 · 48e71faa88
parent 5f4b6ebb7b
commit 48e71faa88
13 changed files with 75 additions and 36 deletions
--- a/bureau/admin/adm_add.php
+++ b/bureau/admin/adm_add.php
@ -59,7 +59,12 @@ if (isset($error) && $error) {
 	echo "<p class=\"alert alert-danger\">$error</p>";
 }
 ?>
-<form method="post" action="adm_doadd.php" id="main" name="main">
+<form method="post" action="adm_doadd.php" id="main" name="main" autocomplete="off">
+
+<!-- honeypot fields -->
+<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
+<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
+
 <table class="tedit">
 <tr><th><label for="login"><?php __("Username"); ?></label></th><td>
 	<input type="text" class="int" name="login" id="login" value="<?php ehe($login); ?>" size="20" maxlength="16" />
@ -144,7 +149,6 @@ if (isset($error) && $error) {
 </form>
 <script type="text/javascript">
 document.forms['main'].login.focus();
- document.forms['main'].setAttribute('autocomplete', 'off');
 </script>

 <?php include_once("foot.php"); ?>
--- a/bureau/admin/adm_edit.php
+++ b/bureau/admin/adm_edit.php
@ -62,7 +62,12 @@ if (!$r=$admin->get($uid)) {
    echo "<p class=\"alert alert-danger\">$error</p>";
  }
 ?>
-<form method="post" action="adm_doedit.php" name="main" id="main">
+<form method="post" action="adm_doedit.php" name="main" id="main" autocomplete="off">
+
+<!-- honeypot fields -->
+<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
+<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
+
 <table class="tedit">
 <tr>
 	<th><input type="hidden" name="uid" value="<?php echo $uid ?>" />
@ -173,6 +178,5 @@ if ($c=$admin->get($r["creator"])) {
 </p>
 <script type="text/javascript">
 document.forms['main'].pass.focus();
- document.forms['main'].setAttribute('autocomplete', 'off');
 </script>
 <?php include_once("foot.php"); ?>
--- a/bureau/admin/adm_mxaccount.php
+++ b/bureau/admin/adm_mxaccount.php
@ -90,7 +90,12 @@ for($i=0;$i<count($c);$i++) { ?>
 </table>
    <?php } ?>
 <p><?php __("If you want to allow a new server to access your mx-hosted domain list, give him an account."); ?></p>
-<form method="post" action="adm_mxaccount.php" name="main" id="main">
+<form method="post" action="adm_mxaccount.php" name="main" id="main" autocomplete="off">
+
+<!-- honeypot fields -->
+<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
+<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
+
 <table class="tedit">
 <tr><th><label for="newlogin"><?php __("Login"); ?></label></th><th><label for="newpass"><?php __("Password"); ?></label></th></tr>
 <tr>
@ -106,6 +111,5 @@ for($i=0;$i<count($c);$i++) { ?>

 <script type="text/javascript">
 document.forms['main'].newlogin.focus();
-document.forms['main'].setAttribute('autocomplete', 'off');
 </script>
 <?php include_once("foot.php"); ?>
--- a/bureau/admin/adm_slavedns.php
+++ b/bureau/admin/adm_slavedns.php
@ -153,7 +153,12 @@ if (is_array($c)) { ?>

 <p><?php __("If you want to allow a new server to access your domain list, give him an account."); ?></p>

-<form method="post" action="adm_slavedns.php" name="main" id="main">
+<form method="post" action="adm_slavedns.php" name="main" id="main" autocomplete="off">
+
+<!-- honeypot fields -->
+<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
+<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
+
  <table class="tedit">
    <tr><th><label for="newlogin"><?php __("Login"); ?></label></th><th><label for="newpass"><?php __("Password"); ?></label></th></tr>
    <tr>
@ -165,7 +170,6 @@ if (is_array($c)) { ?>
 </form>

 <script type="text/javascript">
-  document.forms['main'].setAttribute('autocomplete', 'off');
  document.forms['main'].newip.focus();
 $(function(){
 	$(".toggle-next").on("click",function(){
--- a/bureau/admin/ftp_edit.php
+++ b/bureau/admin/ftp_edit.php
@ -64,7 +64,12 @@ if (isset($error) && $error) {
 	echo "<p class=\"alert alert-danger\">$error</p>";
 }
 ?>
-<form method="post" action="ftp_doedit.php" name="main" id="main">
+<form method="post" action="ftp_doedit.php" name="main" id="main" autocomplete="off">
+
+<!-- honeypot fields -->
+<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
+<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
+
  <input type="hidden" name="id" value="<?php echo $id ?>" />
  <input type="hidden" name="create" value="<?php echo $create ?>" />
  <table border="1" cellspacing="0" cellpadding="4" class="tedit">
@ -102,7 +107,6 @@ if (isset($error) && $error) {

 <script type="text/javascript">
 document.forms['main'].login.focus();
-document.forms['main'].setAttribute('autocomplete', 'off'); 

 function ftp_edit_pass_toggle() {
  $('#ftp_tr_pass1').toggle();
--- a/bureau/admin/hta_adduser.php
+++ b/bureau/admin/hta_adduser.php
@ -44,7 +44,12 @@ getFields($fields);
 	}
 ?>

-<form method="post" action="hta_doadduser.php" name="main" id="main">
+<form method="post" action="hta_doadduser.php" name="main" id="main" autocomplete="off">
+
+<!-- honeypot fields -->
+<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
+<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
+
 <table border="1" cellspacing="0" cellpadding="4" class='tedit'>
 	<tr>
 		<th><input type="hidden" name="dir" value="<?php ehe($dir); ?>" /><?php __("Folder"); ?></th>
--- a/bureau/admin/hta_edit.php
+++ b/bureau/admin/hta_edit.php
@ -90,7 +90,12 @@ for($i=0;$i<count($r);$i++){ ?>
 <fieldset>
  <legend><h3><?php __("Adding an authorized user"); ?></h3></legend>

-  <form method="post" action="hta_doadduser.php" name="main" id="main">
+  <form method="post" action="hta_doadduser.php" name="main" id="main" autocomplete="off">
+
+<!-- honeypot fields -->
+<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
+<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
+
    <table class="tedit">
      <tr>
        <th><input type="hidden" name="dir" value="<?php echo $dir ?>" /><?php __("Folder"); ?></th>
@ -118,7 +123,6 @@ for($i=0;$i<count($r);$i++){ ?>
  
 <script type="text/javascript">
  document.forms['main'].user.focus();
-  document.forms['main'].setAttribute('autocomplete', 'off'); 
 </script>

 <?php include_once("foot.php"); ?>
--- a/bureau/admin/hta_edituser.php
+++ b/bureau/admin/hta_edituser.php
@ -43,7 +43,12 @@ getFields($fields);

 <?php if (!empty($error) ) { echo "<p class=\"alert alert-danger\">$error</p>"; } ?>

-<form method="post" action="hta_doedituser.php" name="main" id="main">
+<form method="post" action="hta_doedituser.php" name="main" id="main" autocomplete="off">
+
+<!-- honeypot fields -->
+<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
+<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
+
  <input type="hidden" name="dir" value="<?php echo $dir ?>">
  <input type="hidden" name="user" value="<?php echo $user ?>">
  <table border="1" cellspacing="0" cellpadding="4" class='tedit'>
@ -70,7 +75,6 @@ getFields($fields);

 <script type="text/javascript">
  document.forms['main'].newpass.focus();
-  document.forms['main'].setAttribute('autocomplete', 'off');
 </script>

 <?php include_once("foot.php"); ?>
--- a/bureau/admin/mail_edit.php
+++ b/bureau/admin/mail_edit.php
@ -61,7 +61,12 @@ if (isset($error)) {
 }
 ?>

-<form action="mail_doedit.php" method="post" name="main" id="main">
+<form action="mail_doedit.php" method="post" name="main" id="main" autocomplete="off">
+
+<!-- honeypot fields -->
+<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
+<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
+
 <input type="hidden" name="mail_id" value="<?php echo $mail_id; ?>" />
 <table class="tedit">
  <tr><th colspan="2"><b><?php __("Is this email enabled?"); ?></b></th></tr>
@ -93,8 +98,8 @@ if (isset($error)) {
      <div id="poptbl">
 	<table class="tedit" >
          <tr id='mail_edit_pass' style='display: none;'><td colspan='2'><a href='javascript:mail_edit_pass();'><?php __("Click here to edit the existing password");?></a></td></tr>
-	  <tr id='mail_edit_pass1'><td><label for="pass"><?php __("Enter a POP/IMAP password"); ?></label></td><td><input type="password" class="int" autocomplete="off" name="pass" id="pass" value="" size="20" maxlength="32" autocomplete="off" /><?php display_div_generate_password(DEFAULT_PASS_SIZE,"#pass","#passconf"); ?></td></tr>
-	  <tr id='mail_edit_pass2'><td><label for="passconf"><?php __("Confirm password"); ?></label></td><td><input type="password" class="int" autocomplete="off" name="passconf" id="passconf" value="" size="20" maxlength="32" autocomplete="off" /></td></tr>
+	  <tr id='mail_edit_pass1'><td><label for="pass"><?php __("Enter a POP/IMAP password"); ?></label></td><td><input type="password" class="int" autocomplete="off" name="pass" id="pass" value="" size="20" maxlength="32" /><?php display_div_generate_password(DEFAULT_PASS_SIZE,"#pass","#passconf"); ?></td></tr>
+	  <tr id='mail_edit_pass2'><td><label for="passconf"><?php __("Confirm password"); ?></label></td><td><input type="password" class="int" autocomplete="off" name="passconf" id="passconf" value="" size="20" maxlength="32" /></td></tr>
 	  <tr><td><label for="quotamb"><?php __("Maximum allowed size of this Mailbox"); ?></label></td><td><input type="text" class="int intleft" style="text-align: right" name="quotamb" id="quotamb" value="<?php ehe($quotamb); ?>" size="7" maxlength="6" /><span class="int intright"><?php __("MB"); ?></span></td></tr>
 	</table>
      </div>
@ -122,15 +127,7 @@ foreach($html as $h) echo $h;
 }
 ?>
 <script type="text/javascript">
-    $(document).ready(function() {
-    $('#email').focus();
-    <?php if (!$islocal) { ?>
-    popoff();
-    <?php } ?>
-    $('#turnoff').hide();
-    $('#pass').attr('autocomplete','off');
-    $('#passconf').attr('autocomplete','off');
-});
+
 function popoff() {
    $('#turnoff').show(); 
    $('#poptbl').addClass('grey'); 
--- a/bureau/admin/mem_param.php
+++ b/bureau/admin/mem_param.php
@ -77,7 +77,12 @@ if (!$mem->user["canpass"]) {
 echo "<p>";
 __("help_chg_passwd"); ?>
 </p>
-<form method="post" action="mem_passwd.php" name="main" id="main">
+<form method="post" action="mem_passwd.php" name="main" id="main" autocomplete="off">
+
+<!-- honeypot fields -->
+<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
+<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
+
 <table border="1" cellspacing="0" cellpadding="4" class="tedit" >
 <tr><th><?php __("Old password"); ?></th><td><input type="password" class="int" name="oldpass" value="<?php isset($oldpass) ? : $oldpass=""; echo $oldpass; ?>" size="20" maxlength="128" /></td></tr>
 <tr><th><?php __("New password"); ?> (1)</th><td><input type="password" class="int" autocomplete="off" id="newpass" name="newpass" value="<?php isset($newpass) ? : $newpass=""; echo $newpass;  ?>" size="20" maxlength="60" /><?php display_div_generate_password(DEFAULT_PASS_SIZE,"#newpass","#newpass2"); ?></td></tr>
--- a/bureau/admin/sql_list.php
+++ b/bureau/admin/sql_list.php
@ -110,8 +110,4 @@ for($i=0;$i<count($rdb);$i++) {
 }
 }
 ?>
-<script type="text/javascript">
-//document.forms['main'].pass.focus();
-//document.forms['main'].setAttribute('autocomplete', 'off');
-</script>
 <?php include_once("foot.php"); ?>
--- a/bureau/admin/sql_users_add.php
+++ b/bureau/admin/sql_users_add.php
@ -53,7 +53,12 @@ getFields($fields);
 		}
 	}
 ?>
-<form method="post" action="sql_users_doadd.php" id="main" name="main">
+<form method="post" action="sql_users_doadd.php" id="main" name="main" autocomplete="off">
+
+<!-- honeypot fields -->
+<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
+<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
+
 <table class="tedit">
 <tr>
  <th><label for="usern"><?php __("Username"); ?></label></th>
@ -80,7 +85,5 @@ getFields($fields);
  } else {
    document.forms['main'].usern.focus();
  }
-  document.forms['main'].setAttribute('autocomplete', 'off');
-
 </script>
 <?php include_once("foot.php"); ?>
--- a/bureau/admin/sql_users_password.php
+++ b/bureau/admin/sql_users_password.php
@ -52,8 +52,13 @@ if (! empty($error) ) {

 ?>

-<form method="post" action="sql_users_dopassword.php">
+<form method="post" action="sql_users_dopassword.php" autocomplete="off">
 <input type="hidden" name="id" value="<?php echo $id; ?>" />
+
+<!-- honeypot fields -->
+<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
+<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
+
 <table cellspacing="0" cellpadding="4" class="tedit">
  <tr>
    <th><label for="password"><?php __("Password"); ?></label></th>