Chris, On 29/04/20 4:28 am, Chris Lamb wrote: > Abhijith, > >>> otrs2 >>> NOTE: 20200412: Asked upstream for clarity in CVE-2020-1769 patch >>> (abhijith) >>> + NOTE: 20200427: Cannot find the above comment on the various >>> commits/PRs, nor >>> + NOTE: 20200427: on the -dev mailing list. I suspect its entirely safe to >> >> I sent mail directly to the committer. > > Thanks for clarifying. If so, please could you add a clarifying note > to dla-needed.txt? I suppose the rough principle here would be to > collect all relevant info so that in the case that someone needs to > take up your work they can do so with minimal duplicated effort.
Sure I will follow that. >> Isn't autocomplete more of a browser dependent thing. I disabled >> autocomplete (without the switches) and tested in firefox but it didn't >> work. > > Indeed. For example, in Firefox: > > We intentionally ignore autocomplete=off for password forms. We > believe giving users the option to save their passwords will result > in better security than if users use the same simple password on all > sites because otherwise they can't remember them. > > -- https://bugzilla.mozilla.org/show_bug.cgi?id=1353035#c2 > > Regardless and unrelated to the merits of this argument, I am now more > and more inclined to believe this is a no-dsa issue. I also believe it is a no-dsa and going to mark as no-dsa. But it would be better if it get some more clarity from upstream. --abhijith
