2.5.1 - Browser Confirm Access ignores subdomain specificity

[jm-duke]

I tested this behavior with the KeePassXC-Browser Addon for Firefox and Chrome. Downgrading KeepassXC from 2.5.1 to 2.5.0 fixed the issue, so it seems to be related to the latest version of KeepassXC and not to the browser addon.

Expected Behavior

When browsing to a site, the "KeePassXC-Browser Confirm Access" pop-up requests password access to the credentials stored for this specific site or does not pop-up at all for sites, for which I already granted password access.

Current Behavior

The pop-up requests access to multiple, unrelated sites.

Also, on sites that were already known and that never showed the pop-up after I ticked "Remember this decision", the pop-up requests access to other sites now.

Steps to Reproduce

1. Upgrade KeepassXC to 2.5.1
2. Browse to a site, which requests passwords stored in KeepassXC

Context

Tested on two different Windows desktops, one using Firefox + KeepassXC Browser, the other using Chrome + KeepassXC Browser

Debug Info

KeePassXC - Version 2.5.1
Revision: 0fd8836

Qt 5.13.1
Debugging mode is disabled.

Operating system: Windows 10 (10.0)
CPU architecture: x86_64
Kernel: winnt 10.0.18362

Enabled extensions:

• Auto-Type
• Browser Integration
• SSH Agent
• KeeShare (signed and unsigned sharing)
• YubiKey

Cryptographic libraries:
libgcrypt 1.8.5

[droidmonkey]

We specifically fixed this issue in 2.5.1. What do the URL's look like for the sites that are erroneously sent?

[ThinkChaos]

Since 2.5.1, it KeepassXC sends all the sibling sub-domains: if I browse to a.x.x, KeepassXC asks me if I also want to provide the browser access to credentials for b.x.x, c.x.x, etc.
In my settings, I have checked "Return only best-matching credentials".

[varjolintu]

I'll check the behaviour if there's something we've missed. Thanks for reporting it.

[droidmonkey]

Probably start with a new test case and see where things go sideways

[varjolintu]

@droidmonkey Already did it. I have the fix ready. Sadly this didn't make to 2.5.1.

[varjolintu]

The fix has been submitted. Feel free to test it.

[luchaos]

For what it's worth - the previous version already had an issue with one entry that had a space at the end of the url field. Now it asks for access to seemingly random domains.
Notably when working locally on .test domains - it will ask for other .test domains in the database.
Glad you have it on high priority :) Thank you for your fantastic work!

[varjolintu]

@luchaos Please test the PR if you can! I'd appreciate it if any extra bugs are found.