Open
Bug 1339479
Opened 7 years ago
Updated 3 months ago
Hex value "f" is not used for "cnonce" calculation in nsHttpDigestAuth::GenerateCredentials
Categories
(Core :: Networking: HTTP, defect, P3)
Tracking
()
UNCONFIRMED
People
(Reporter: chamal.desilva, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [necko-would-take])
Attachments
(1 file)
|
202 bytes,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Steps to reproduce:
1. Download and copy auth.php to local web server's root folder.
Web server should support PHP. Otherwise it is necessary convert auth.php to a language that your web server supports.
2. Open Firefox and visit http://127.0.0.1/auth.php
3. auth.php will prompt for user name and password.
4. Enter any user name and password and press OK button.
5. Web page will display "Authorization" header of HTTP request.
Note that cnonce value in "Authorization" header contains hex values from 0 to "e", but not "f".
6. Refresh this web page several times to check whether cnonce value contains hex value "f".
Actual results:
Hex value "f" is not present in cnonce.
Expected results:
Hex value "f" should be present in cnonce, unless it is the way intended.
|
Reporter | |
Comment 1•7 years ago
|
||
Cause of Bug
------------
This bug is in below mentioned lines of nsHttpDigestAuth::GenerateCredentials method in netwerk\protocol\http\nsHttpDigestAuth.cpp file.
nsAutoCString cnonce;
static const char hexChar[] = "0123456789abcdef";
for (int i=0; i<16; ++i) {
cnonce.Append(hexChar[(int)(15.0 * rand()/(RAND_MAX + 1.0))]);
}
Above code calculates "cnonce" value which should be sent with HTTP "Authorization" header.
RAND_MAX = 32767
So maximum value above formula can give is
(15.0 * rand()/(RAND_MAX + 1.0)) = (15.0 * 32767/(32767 + 1.0)) = 14.99954223632813
But casting above result(14.99954223632813) to integer makes it 14, since integer casting rounds towards 0.
So "f" hex value in hexChar[] array is never used since it is in 15th index.OS: Unspecified → All
Hardware: Unspecified → All
|
|
Reporter | |
Comment 2•7 years ago
|
||
Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1233337 seems to be related, since its crash signal also points to same place in code. I found this bug while looking in to that bug.
|
|
Reporter | |
Updated•7 years ago
|
Attachment #8837194 -
Attachment mime type: application/x-php → text/plain
|
||
Updated•7 years ago
|
Group: firefox-core-security → network-core-security
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
|
||
Comment 3•7 years ago
|
||
This does not look like a security issue. cnonce are define as : "The cnonce value is an opaque quoted ASCII-only string value provided by the client" so it is just a string. This is implemented long time ago, I would just leave it as it is. So one element of that array is not used.
|
|
||
Updated•7 years ago
|
Group: network-core-security
|
||
Comment 4•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P5
|
||
Updated•2 years ago
|
Severity: normal → S3
|
||
Updated•3 months ago
|
Blocks: necko-auth
Priority: P5 → P3
You need to log in
before you can comment on or make changes to this bug.
Description
•