535103 - Thunderbird does not (offer to) remember authenticated proxy password

Status: RESOLVED FIXED

(Thunderbird :: Security, defect)

Description

[Kai Stukenbrock]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Build Identifier: Thunderbird 3.0

I am sitting behind an authenticated proxy. When I open an HTML email that loads parts of the mail contents (e.g. images) through HTTP, the password dialogue for proxy authentication pops up (multiple times, actually, but that is a separate bug 469117). The proxy authentication dialogue window offers no checkbox to tell Thunderbird to remember the password. So the next time I start Thunderbird I have to enter the proxy username and password again (and again, multiple times).

This is a major annoyance, and a massive regression in behavior over Thunderbird 2.

Reproducible: Always

Comment 2

[Kai Stukenbrock]

Sorry, but I beg to differ: this bug is _not_ a duplicate of bug 469117!

THIS bug is about Thunderbird not offering to save the proxy authentication password when opening an email.

Bug 469117 is about proxy authentication triggering multiple authentication windows. Fixing bug 469117 does _not_ fix this bug.

Comment 3

[Ludovic Hirlimann [:Usul]]

(In reply to comment #2)
 
> Bug 469117 is about proxy authentication triggering multiple authentication
> windows. Fixing bug 469117 does _not_ fix this bug.

How about it does it because the passwords are not saved.

Comment 4

[Kai Stukenbrock]

I am no expert on any of the code used here, but I doubt that; the multiple proxy authentication dialogues issue is also present in Firefox (bug 475053). Yet, in Firefox there is no problem with FF remembering (i.e storing in in the password manager and recalling it on next startup) the proxy authentication. So I would assume that the multiple authentication dialogues issue and the unwillingness to remember the proxy authentication are separate issues.

Comment 5

[Sam]

I add my voice to Kai on this bug. The behaviour on the latest version of Thunderbird is exactly as described. AND it is really annoying.

Comment 6

[Tim Bates]

The really odd/frustrating thing with this bug is that (at least in 3.0.5), non-message things CAN use stored proxy settings. The "What's New" page for example can not only store the username and password, but will use it just fine.

Also, I'm getting this on Ubuntu 10.04. It's not platform dependant.

Comment 7

[Axel Werner]

This is ANOYING LIKE HELL! Please fix it soon! PLEEEEEEZE!!

Comment 8

[Carolus64]

I confirm that this issue is present and VERY ANNOYING!!!
I'm using thunderbird V3.1.11 and at each update I hope to find the bug solved

Comment 9

[Axel Werner]

I think this bug goes together with 469117 . i think if Tb would save the credentials, the bug #469117 would be solved too. 

Axel

Comment 10

[Berend De Schouwer]

Firefox had these two bugs, and they were distinct bugs.

1. Don't remember credentials.
2. Popup multiple password questions.

When you fix 1., you still get multiple password questions the first time round, because the password isn't remembered yet.  In other words you get 20 simultaneous dialog boxes BEFORE you can tick "remember", and click OK.

In fact, Firefox then ended up with a third problem: assuming your password locker has a master password, Firefox would popup 20 simultaneous questions for the master password.  You could work around that by not having a master password.

1. Remember credentials.
2. Make ask-for-password blocking, so only one dialog box at a time pops up.

The bugs are strongly related, and could probably be fixed by the same person.

For the Firefox bug, see # 475053 mentioned earlier by Kai.

Comment 11

[dacrow]

hey there!
we got the same problem: our thunderbird v7 is on three winXP machines. all connected to the internet via squid proxy for which an authentication is needed. the proxy is added in the connection settings of thunderbird.

problem: if an email from our local email server is received which contains a HTML formatted email, for every single element, which needs to be downloaded from the net, a authentication dialog appears and asking for username and password... but: this dialog doesn't show a "remember"-option for the credentials.

workaround: whenever you startup thunderbird, first go to the menu Help -> About Thunderbird.. this checks for a new version of thunderbird in the internet. the authentication dialog appears with prefilled credentials and a "remember"-checkbox. once you just hit ok, thunderbird checks for a new version. just close the "about thunderbird"-dialog and open up a HTML-formatted email - é viola, the HTML content is loaded without authentication-dialog.

anyway, this really annoying but needs a fix! I would think that it can't be so hard to implement a "remember"-function to the dialog?! or just use the credentials which are used for the thunderbird-update-check..

Comment 12

[:Irving Reid (No longer working on Firefox)]

Attachment: Only return notificationbox elements from getNotificationBox()

getNotificationBox() was returning a parent XUL element of the content window without checking that it was actually a XUL notificationbox; this caused the caller to later throw a no-such-method exception because it called a notificationbox method on the element.

By returning null when a notificationbox isn't obviously available, the password manager instead displays a checkbox in the notification dialog and correctly saves the password.

Comment 13

[Mark Banner (:standard8)]

Comment on attachment 574692 [details] [diff] [review]
Only return notificationbox elements from getNotificationBox()

yep, this now does the right thing for what we want, and is a big improvement.

Comment 14

[Mark Banner (:standard8)]

Checked into trunk builds:

http://hg.mozilla.org/comm-central/rev/69b52d8af4fa

Ludovic: these feels like something we should have some sort of test for. I'm not sure it is easy to do in automated testing with our current set up, there again I'm not sure about doing it in litmus. Thoughts?

Comment 15

[Mark Banner (:standard8)]

Comment on attachment 574692 [details] [diff] [review]
Only return notificationbox elements from getNotificationBox()

I'm considering porting this to our branches so that it gets released earlier. It would be useful if folks seeing the issue could test today's nightly builds (a separate profile/backup is recommended) in a few hours when they appear here:

http://ftp.mozilla.org/pub/mozilla.org/thunderbird/nightly/latest-comm-central/

Comment 16

[:Irving Reid (No longer working on Firefox)]

There is some existing test code for proxies in

https://mxr.mozilla.org/comm-central/source/mozilla/netwerk/test/unit/test_auth_proxy.js

and

https://mxr.mozilla.org/comm-central/source/mozilla/browser/base/content/test/authenticate.sjs

but I'm not sure how easy it would be to get the UI side of the test working. We could at least trap the nasty exception log messages that the old code dumped (at least in debug builds).

Comment 17

[Axel Werner]

(In reply to Mark Banner (:standard8) from comment #15)
> Comment on attachment 574692 [details] [diff] [review] [diff] [details] [review]
> I'm considering porting this to our branches so that it gets released
> earlier. It would be useful if folks seeing the issue could test today's
> nightly builds (a separate profile/backup is recommended) in a few hours
> when they appear here:

1st:

YES PLEASE! please backport to pretty much any older TB (up to TB3 :) ) ! This bug was a blocker in many ways for TB3+ use in enterprises.

2nd - Nightly Tests:

i tested nightly thunderbird-2011-11-15 >> FAILED
i tested nightly thunderbird-2011-11-16 >> PASSED!!!!!

GREAT JOB! 
As soon the Patch got back ported into the todays stable TB Version, hundreds if not thousands will be happy!

best regards
Axel

Comment 18

[Vincent]

Yes, I'm agree with Axel.
Please backport to Thunderbird 3.1 as soon as possible !!!!! 200 users will be happy in our enterprise !! ;)))

I tested the last nightly of Thunderbird and it's ok  !!! Thank you very much.

best regards

Vincent

Comment 19

[Mark Banner (:standard8)]

Checked in to branches for 9 & 10:

http://hg.mozilla.org/releases/comm-aurora/rev/4bfc00a0d86a
http://hg.mozilla.org/releases/comm-beta/rev/29a808426771

Comment 20

[Ludovic Hirlimann [:Usul]]

(In reply to Mark Banner (:standard8) from comment #14)
> Checked into trunk builds:
> 
> http://hg.mozilla.org/comm-central/rev/69b52d8af4fa
> 
> Ludovic: these feels like something we should have some sort of test for.
> I'm not sure it is easy to do in automated testing with our current set up,
> there again I'm not sure about doing it in litmus. Thoughts?

I'll add some litmus test - but the proxy part is almost *never* run. Having some test in litmus can't help. Running them specifically is more tricky as the user needs to have some kind of proxy setup.

https://litmus.mozilla.org/show_test.cgi?id=40446

Comment 21

[Mark Banner (:standard8)]

Comment on attachment 574692 [details] [diff] [review]
Only return notificationbox elements from getNotificationBox()

Whilst this doesn't really fit under the normal rules of acceptability stability and security releases, and 3.1 support will be ending in a few months, we recognise that it is a significant issue for people seeing this bug and therefore we'll include the fix in for 3.1.17.

Comment 22

[Mark Banner (:standard8)]

Checked in: http://hg.mozilla.org/releases/comm-1.9.2/rev/9a0b75bf6ad7