Open Bug 1219282 Opened 10 years ago Updated 3 years ago

Auth required popup is shown for unknown digest algorithms (SHA-256)

Categories

(Core :: Networking, defect, P3)

Product:
Core
Component:
Networking
Version:
45 Branch
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: teun, Unassigned)

Details

(Whiteboard: [necko-backlog])

Attachments

(1 file)

digest-missing-algorithms-skip-asking-for-credentials.patch
1.13 KB, patch
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7 Steps to reproduce: If a webserver returns a header like this: WWW-Authenticate: Digest realm="MyRealm",qop="auth",algorithm=SHA-256,nonce="MyNonce",charSet=UTF-8 Then Firefox will show the normal "Authentication Required" popup dialog where username and password credentials can be entered. Actual results: If you fill in the credentials and press enter in that popup there is no more request to the server and the 401 UNAUTHORIZED error is shown. Expected results: Firefox should determine the Digest algorithm from the reponse headers before showing the popup. If the algorithm is unknown to Fx, don't bother showing the credentials popup.
The 5 lines of code in this patch are copied from lines 253 to 257 (after patch is applied). ParseChallenge() now also returns NS_ERROR_NOT_IMPLEMENTED when an unknown algorithm is encountered.
Hi, Please download the latest Firefox Nightly from here: https://nightly.mozilla.org/ and retest the problem. If you can reproduce please attach the exact steps to reproduce this.
Just tested with 45.0a1 (2015-11-11) for Mac, no improvement. Step 1: install a local version of httpbin: - Open up a console - `git clone https://github.com/Jaaap/httpbin.git && cd httpbin` - `./test_httpbin.py` - Install any missing python modules like six, werkzeug, flask and decorator - `export PYTHONPATH="~/python-progs:$PYTHONPATH"` - `python setup.py develop --prefix=~/python-progs` - `python -m httpbin.core` Step 2: open httpbin in Fx: - Start Fx - Navigate to to http://127.0.0.1:5000/ - Observe that httpbin works - navigate to http://127.0.0.1:5000/digest-auth/auth/user/passwd/SHA-256 - Observe that Fx opens a popup asking for credentials. This is wrong. Step 3: (optional) sniff http traffic at port 5000 - Use a network monitor to observe that entering credentials does not cause a subsequent http request.
Component: Untriaged → Security: PSM
OS: Unspecified → Mac OS X
Product: Firefox → Core
Version: 41 Branch → 45 Branch
Component: Security: PSM → Networking
Whiteboard: [necko-backlog]
I have the same problem with Firefox in Version 45.2 on both Android and Linux. This bug is even more annoying when the server sends multiple WWW-Authenticate entries, one for SHA-256 and one with MD5 for compatibility with legacy clients haven't implemented RFC 7616 so far: The user is asked twice for her credentials but only one new request with the MD5 digest is send. By the way: I would be really happy to see Firefox supporting RFC 7616, which provides a much more secure Digest authentication and still remains compatible with the obsolete RFC 2617.
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: