You mention "pci compliance" but that can mean a lot of things.

Looking at the code it seems the main purpose is to remove disclosure of login names to the public.

function autocomplete_form_user_login_alter(&$form, &$form_state) {
   $form['#attributes']['autocomplete'] = 'off';
}

But that will only hide the autocomplete, it doesn't prevent a person from *using* the autocomplete. I think a hook_menu_alter that changes the access callback/access arguments for the autocomplete URL will be more thoroughly effective.

For this to work, the name of the function needs to be something more like pci_update_form_user_login_alter because the hook is named based on the module name.

Comments

bendodd’s picture

bendodd commented

I'm not sure I follow you. There is no Drupal [AJAX] autocomplete on these forms; This module refers to the client's browser functionality for form autofilling/password storage: http://www.htmlcodetutorial.com/forms/_INPUT_AUTOCOMPLETE.html (not a great reference).

As hopefully stated in the description, this is not strictly PCI DSS, but is something revealed in the automatic scanning done as part of card scheme representative's basic testing (in this case WorldPay in the UK):

"Approved Scan Vendor (ASV) – a provider approved by the PCI Security Standard Council to carry out a vulnerability scan of your systems. A list is available from the PCI Security Standards Council website" http://www.worldpay.com/saferbusiness/glossary.html

This is the error the ASV generates:

"Forms with the actions http://www.example.com/?q=user/login/ and http://www.example.com/user/login do not explicitly disable autocomplete for the following sensitive fields: pass"

There are various discussion on d.o, for example, http://drupal.org/node/1053862

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Title: clarify purpose, hook_menu_alter instead of hook_form_alter? » clarify purpose, fix function names

Right you are!

Sorry, I saw autocomplete and arrays and got confused.

Still it would be good to clarify the purpose on the project page. There can be other changes required for PCI and not all PCI scanners require this one. Is your intention to include all of the improvements in this module as they are identified?

I believe the hook names are still incorrect.

bendodd’s picture

bendodd commented

Right you are!

Updated the project page and hook names as per hook_form_FORM_ID_alter

bendodd’s picture

bendodd commented
Status: Active » Needs review
greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Status: Needs review » Fixed

When you fix it you can change the status to fixed.

Thanks for your work, reviewing now.

bendodd’s picture

bendodd commented
Version: » 6.x-1.x-dev
Assigned: Unassigned » bendodd
Status: Fixed » Closed (fixed)

Fixed and released

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Status: Closed (fixed) » Fixed

Note that when you fix something the best Status is "fixed." This leaves it visible in the queue for two weeks at which point it gets automatically closed by an automated process.

Leaving it in the queue makes it visible to people who may be looking for the same issue and helps prevent duplicate issues.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.