Closed Bug 1216986 Opened 4 years ago Closed 4 years ago

Password (form field) not stored for URLs using literal IPv6 addresses

Categories

(Toolkit :: Password Manager, defect)

41 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla45
Tracking Status
firefox42 --- affected
firefox43 --- affected
firefox44 --- affected
firefox45 --- fixed

People

(Reporter: chkr, Assigned: MattN)

References

Details

Attachments

(2 files)

Attached file test.html
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
Build ID: 20151015125802

Steps to reproduce:

- use a web page having a password form field (or just put the attached test.html onto a web server accessible via IPv4 and IPv6)

- access the web page using its IPv4 and its IPv6 address like http://[2001:0DB8::1]/test.html (use a global or unique local address)

- fill out the password field and press enter to submit the form


Actual results:

IPv4:
- password manager asks for storing the password
- password is actually stored (Preferences -> Security -> Saved Passwords)

IPv6:
a) firefox 41.0.2
- password manager asks for storing the password
- password is NOT stored

b) today's nightly: 44.0a1 (2015-10-19)
- password manager does not ask for storing the password
- password is NOT stored


Expected results:

Even when using a literal IPv6 address (at least for global or unique local addresses) in the URL, the password manager should store the password.
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
I used today's hg head for generating the log files. They contain all debug messages for the 3rd step in the initial description (fill out the field and press enter).
--------------------
hg summary
parent: 273813:45273bbed8ef tip
--------------------

IPv6:
observer notified for form submission. LoginManagerContent.jsm:44
Couldn't parse origin for http://2001:0DB8::1 LoginManagerContent.jsm:1179
TypeError: http://2001:0DB8::1 is not a valid URL. LoginManagerParent.jsm:184:25
_filterRecipesForForm undefined LoginRecipes.jsm:197
getFieldOverrides: filtered recipes: <unavailable> LoginRecipes.jsm:222
(form -- no username field found) LoginManagerContent.jsm:673
Password field <unavailable> has name:   LoginManagerContent.jsm:683
nsLoginManager:Checking if logins to http://2001:0DB8::1 can be saved. nsLoginManager.js:434
Login storage:Getting login saving is enabled for http://2001:0DB8::1 storage-json.js:409
nsLoginManager:Searching for logins matching host: http://2001:0DB8::1 formSubmitURL: null httpRealm: null nsLoginManager.js:375
Login storage:_searchLogins: returning 0 logins storage-json.js:376
Login storage:_findLogins: returning 0 logins storage-json.js:451
LoginManagerPrompter:===== initialized ===== nsLoginManagerPrompter.js:710
LoginManagerPrompter:_getShortDisplayHost couldn't process http://2001:0DB8::1 nsLoginManagerPrompter.js:1621
NS_ERROR_MALFORMED_URI: Component returned failure code: 0x804b000a (NS_ERROR_MALFORMED_URI) [nsIIOService2.newURI] nsLoginManagerPrompter.js:986:0
onDOMFormHasPassword: <unavailable> <unavailable> LoginManagerContent.jsm:281
Couldn't parse origin for http://2001:0DB8::1 LoginManagerContent.jsm:1179
nsLoginManager:Counting logins matching host: http://2001:0DB8::1 formSubmitURL:  httpRealm: null nsLoginManager.js:405
Login storage:_searchLogins: returning 0 logins storage-json.js:376
Login storage:_countLogins: counted logins: 0 storage-json.js:469
Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.[Learn More] <unknown>
Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen.[Learn More] <unknown>
nsLoginManager:Counting logins matching host: http://2001:0DB8::1 formSubmitURL:  httpRealm: null nsLoginManager.js:405
Login storage:_searchLogins: returning 0 logins storage-json.js:376
Login storage:_countLogins: counted logins: 0 storage-json.js:469

IPv4:
observer notified for form submission. LoginManagerContent.jsm:44
_filterRecipesForForm <unavailable> LoginRecipes.jsm:197
getFieldOverrides: filtered recipes: <unavailable> LoginRecipes.jsm:222
(form -- no username field found) LoginManagerContent.jsm:673
Password field <unavailable> has name:   LoginManagerContent.jsm:683
nsLoginManager:Checking if logins to "http://127.0.0.1" can be saved. nsLoginManager.js:434
Login storage:Getting login saving is enabled for "http://127.0.0.1" storage-json.js:409
nsLoginManager:Searching for logins matching host: "http://127.0.0.1" formSubmitURL: "http://127.0.0.1" httpRealm: null nsLoginManager.js:375
Login storage:_searchLogins: returning 0 logins storage-json.js:376
Login storage:_findLogins: returning 0 logins storage-json.js:451
LoginManagerPrompter:===== initialized ===== nsLoginManagerPrompter.js:710
LoginManagerPrompter:"_getShortDisplayHost couldn't process http://127.0.0.1" nsLoginManagerPrompter.js:1621
nsLoginManager:Searching for logins matching host: "http://127.0.0.1" formSubmitURL: "http://127.0.0.1" httpRealm: null nsLoginManager.js:375
Login storage:_searchLogins: returning 0 logins storage-json.js:376
Login storage:_findLogins: returning 0 logins storage-json.js:451
nsLoginManager:Searching for logins matching host: "http://127.0.0.1" formSubmitURL: "http://127.0.0.1" httpRealm: null nsLoginManager.js:375
Login storage:_searchLogins: returning 0 logins storage-json.js:376
Login storage:_findLogins: returning 0 logins storage-json.js:451
onDOMFormHasPassword: <unavailable> <unavailable> LoginManagerContent.jsm:281
nsLoginManager:Counting logins matching host: "http://127.0.0.1" formSubmitURL:  httpRealm: null nsLoginManager.js:405
Login storage:_searchLogins: returning 0 logins storage-json.js:376
Login storage:_countLogins: counted logins: 0 storage-json.js:469
Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen.[Learn More] <unknown>
nsLoginManager:Counting logins matching host: "http://127.0.0.1" formSubmitURL:  httpRealm: null nsLoginManager.js:405
Login storage:_searchLogins: returning 0 logins storage-json.js:376
Login storage:_countLogins: counted logins: 0 storage-json.js:469
nsLoginManager:Searching for logins matching host: "http://127.0.0.1" formSubmitURL: "http://127.0.0.1" httpRealm: null nsLoginManager.js:375
Login storage:_searchLogins: returning 0 logins storage-json.js:376
Login storage:_findLogins: returning 0 logins storage-json.js:451
nsLoginManager:Searching for logins matching host: "http://127.0.0.1" formSubmitURL: "http://127.0.0.1" httpRealm: null nsLoginManager.js:375
Login storage:_searchLogins: returning 0 logins storage-json.js:376
Login storage:_findLogins: returning 0 logins storage-json.js:451
nsLoginManager:Adding login nsLoginManager.js:302
Login crypto:SDR slot status is 5 crypto-SDR.js:174
Flags: needinfo?(chkr)
Thanks a lot!

(In reply to Christian Krause from comment #2)
> IPv6:
> observer notified for form submission. LoginManagerContent.jsm:44
> Couldn't parse origin for http://2001:0DB8::1 LoginManagerContent.jsm:1179
> TypeError: http://2001:0DB8::1 is not a valid URL.

This seems to be the problem.
The problem is that nsIURI.host doesn't include the square brackets around the IPv6 address (I guess because it's assumed it won't be used with a port?) whereas hostPort does the right thing.

http://hg.mozilla.org/mozilla-central/diff/f169b5d66bc8/toolkit/components/passwordmgr/src/nsLoginManager.js changed from .hostPort to .host due to bug 396316 comment 20 but that problem has since been fixed:

> Services.io.newURI("http://user@[2001:470:1:18::119]:80/foo/", null, null).hostPort
> > "[2001:470:1:18::119]"
> Services.io.newURI("http://user@[2001:470:1:18::119]:81/foo/", null, null).hostPort
> > "[2001:470:1:18::119]:81"
> Services.io.newURI("http://user@[2001:470:1:18::119]/foo/", null, null).port
> > -1

I've been wanting to cleanup this code to use .hostPort for a while anyways…
Assignee: nobody → MattN+bmo
Blocks: 396316
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Bug 1216986 - Fix usage of nsIURI.host in password manager and prompt code to support IPv6. r=dolske,liuche,kanru
Attachment #8691777 - Flags: review?(liuche)
Attachment #8691777 - Flags: review?(kchen)
Attachment #8691777 - Flags: review?(dolske)
Attachment #8691777 - Flags: review?(kchen) → review+
Comment on attachment 8691777 [details]
MozReview Request: Bug 1216986 - Fix usage of nsIURI.host in password manager and prompt code to support IPv6. r=dolske,liuche,kanru

https://reviewboard.mozilla.org/r/26185/#review23567
I just tested the submitted patch: Both of my use cases (IPv4 and IPv6) work without any problems now. Thank you very much!
Comment on attachment 8691777 [details]
MozReview Request: Bug 1216986 - Fix usage of nsIURI.host in password manager and prompt code to support IPv6. r=dolske,liuche,kanru

https://reviewboard.mozilla.org/r/26185/#review23631
Attachment #8691777 - Flags: review?(dolske) → review+
Comment on attachment 8691777 [details]
MozReview Request: Bug 1216986 - Fix usage of nsIURI.host in password manager and prompt code to support IPv6. r=dolske,liuche,kanru

The Android parts look good to me!
Attachment #8691777 - Flags: review?(liuche) → review+
https://hg.mozilla.org/mozilla-central/rev/30f9c10a9e5b
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.