Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Matching against domain goes too far #1820

Open
cbiere opened this issue May 9, 2024 · 2 comments
Open

Matching against domain goes too far #1820

cbiere opened this issue May 9, 2024 · 2 comments
Labels
bug

Comments

@cbiere
Copy link

cbiere commented May 9, 2024

When the setting "Subdomain search" is disabled, entries are suggested that match only the last part of the domain name.

To Reproduce

Steps to reproduce the behavior:

  1. Add an entry to the database with the URL https://box.com/
  2. Add an entry to the database with the URL https://dropbox.com/
  3. Browse to https://account.box.com/login
  4. Enter a email address as username
  5. Use autofill with KeePassDX and see that both dropbox and box are suggested, even though dropbox.com should clearly not match box.com and this is even on account.box.com.

Expected behavior

An entry with https://box.com might match any subdomain like example.box.com but not a domain that just has box.com at the end. While enabling the "Subdomain search" setting prevents this from happening, there should be no match because these domains are completely unrelated and it only benefits phishing.

KeePass Database

Irrelevant.

KeePassDX:

  • Version: 4.0.6
  • Build: Free
  • Language: en

Android:

  • Device: sweet
  • Version: 14
@cbiere cbiere added the bug label May 9, 2024
@SuperITMan
Copy link

Same issue here, the autofill provides wrong entries for the following examples :

  • 192.168.0.1:
    • 192.168.0.10 entries
    • 192.168.0.11 entries
    • 192.168.0.1 entries
  • mydomain.com:
    • sub1.mydomain.com entries
    • sub2.mydomain.com entries
    • mydomain.com entries

@cbiere
Copy link
Author

cbiere commented May 11, 2024

Same issue here, the autofill provides wrong entries for the following examples :

192.168.0.1:
192.168.0.10 entries
192.168.0.11 entries
192.168.0.1 entries

Yeah, this looks wrong and even more odd. I wonder if there is a specific logic for matching IP addresses to cause these results.

  • mydomain.com:

    • sub1.mydomain.com entries
    • sub2.mydomain.com entries
    • mydomain.com entries

This is okay if you don't have the option "Subdomain search" enabled. The idea behind this is presumably that many domains use the same credentials on different subdomains like www. or login., for example. The problem is that it also matches sub1mydomain.com which is not a sub-domain of mydomain at all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
4.1.0
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cbiere @SuperITMan