From ab07a45a03cd0b93541d8238e6006441158f5230 Mon Sep 17 00:00:00 2001
From: Daan Sprenkels <dsprenkels@gmail.com>
Date: Wed, 16 Nov 2016 12:21:12 +0100
Subject: [PATCH] Fix V2.2, add annotation that it was found using Fortify

---
 report/v2_authentication.tex | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/report/v2_authentication.tex b/report/v2_authentication.tex
index 57a210e..ea7cbe5 100644
--- a/report/v2_authentication.tex
+++ b/report/v2_authentication.tex
@@ -15,15 +15,19 @@ public (Principle of complete mediation).
 \end{result}
 
 \item
-\pass{}
+\fail{}
 Verify that forms containing credentials are not filled in by
 the application. Pre-filling by the application implies that
 credentials are stored in plaintext or a reversible format,
 which is explicitly prohibited.
 
 \begin{result}
-No credentials (that should not be stored in plain text) are ever filled in by
-the application.
+No credentials that come from the database are pre-filled by the application.
+However, in some forms, the application pre-fills password fields from the
+request's POST data. This is not necesarry.\footnote{This issue was actually
+overlooked when auditing manually, and was found when running the Fortify tool.
+In the initial audit, we only ensured that no internal information (from the
+database) was leaked in this way.}
 \end{result}
 
 \setcounter{enumi}{3}
-- 
2.20.1