KeePass returning unrelated credentials over keepasshttp

[eversins]

Hello, since the last AUR update, when I go on a random unknown site with a logon field, I get promoted to grant chromeIPass access to 7 account credentials.
It is always the same accounts but I see no pattern into why.

When on a site where I have credentials saved it works as expected. (although accounts on the same domain with different paths are also shown now)

Did something in the search/filtering from keepasshttp change?

Expected Behavior

Nothing at all should happen, its not the correct site for the credentials.

Current Behavior

Prompt opens to grant access to 7 unrelated accounts.

Debug Info

Version | 2.2.0.r94.gbe312bbe-1
KeePassXC - Version 2.2.0
Revision: be312bb

Libraries:

• Qt 5.9.1
• libgcrypt 1.8.1

Operating system: Manjaro Linux
CPU architecture: x86_64
Kernel: linux 4.13.4-1-MANJARO

Enabled extensions:

• KeePassHTTP
• Auto-Type
• YubiKey

[droidmonkey]

Recommend using the just released v2.2.1

[alexisju]

Same here with 2.2.1 (Snap on Mint). Maybe related to Firefox update (55.0.2 )?

I get KP prompts on any website containing any single fields. KP purpose credentials from entries without specific URL...

Very annoying.

[yan12125]

I got this issue on 2.2.1 (14e3d9d), too. This is a possible fix:

diff --git a/src/core/Entry.cpp b/src/core/Entry.cpp
index 238c2617..4278354a 100644
--- a/src/core/Entry.cpp
+++ b/src/core/Entry.cpp
@@ -796,7 +828,7 @@ QString Entry::resolveUrl(const QString& url) const
 {
 #ifdef WITH_XC_HTTP
     QString newUrl = url;
-    if (!url.contains("://")) {
+    if (!url.isEmpty() && !url.contains("://")) {
         // URL doesn't have a protocol, add https by default
         newUrl.prepend("https://");
     }

I haven't had time to create a minimal reproducer. Hopefully the fix explains itself.

[GuilloOme]

For me too, it's started with v2.2.1

You're right @yan12125, it's returns all entry with an empty url.

[droidmonkey]

This regression was introduced in 35c6df2.

[rugk]

I am having this issue again with v2.2.2, as it seems. See smorks/keepasshttp-connector#63

[phoerious]

Please update to 2.2.4.

[rugk]

Okay, seems it will soon be published in the repo: https://bugzilla.redhat.com/show_bug.cgi?id=1525740

[rugk]

Please reopen, it is still reproducible on https://engelsystem.de/34c3/ e.g.

Firefox 57
Again tries to use wrong credentials already screenshotted here: smorks/keepasshttp-connector#63 (comment)

[yan12125]

KeePassXC also matches URLs against entry titles. Is this the case for you @rugk? If so that's a different issue.

[rugk]

No, the entry title is a URL to a completly different (.io) domain and then – as you see, the string "Gitea". See smorks/keepasshttp-connector#63 (comment) for how the entry looks like.

[yan12125]

Thanks for the screenshot. I can confirm the bug. (I'm not a core developer here so I can't reopen this issue)

[yan12125]

@rugk: This looks like a different issue; I opened #1340