FTP triggers undismissable auth prompts
Categories
(Firefox :: Security, defect, P1)
Tracking
()
People
(Reporter: asoncutean, Assigned: johannh)
References
Details
(Keywords: csectype-dos, sec-low, Whiteboard: [post-critsmash-triage][adv-main66+])
Attachments
(2 files)
2.76 MB,
image/gif
|
Details | |
47 bytes,
text/x-phabricator-request
|
lizzard
:
approval-mozilla-beta+
|
Details | Review |
[Affected versions]:
- 67.0a1 (2019-02-04)
- 66.0b5 (20190204181317)
- 65.0 (20190124174741)
[Affected platforms]:
- Windows 10 x64
[Steps to reproduce]:
- Setup a simple FTP server
- Use the following test case
- Access the above test case via FTP server
[Expected result]:
- The auth prompt should not be displayed once more.
[Actual result]:
- Auth prompt is successively displayed, without any means to be dismissed.
[Regression range]:
- Not a regression, I can see this issue way back to Fx 31.0a1.
[Additional Notes]:
- Firefox can’t be escaped, only by ending its process.
- This behavior is not reproducible on Chrome.
- In order to create the FTP server, I used FileZilla.
Reporter | ||
Updated•6 years ago
|
Updated•6 years ago
|
Comment 1•6 years ago
|
||
FWIW, I don't understand, off-hand, why the auth prompts from FTP aren't being subjected to the same limits we added for http auth prompts. I'm assuming it's the same dialog. Hopefully Johann knows?
Assignee | ||
Comment 2•6 years ago
|
||
Pretty sure this is because we base it on the hostname. I can reproduce and will fix it later.
Assignee | ||
Updated•6 years ago
|
Comment 3•6 years ago
|
||
ftp urls have hostnames and origins.
Assignee | ||
Comment 4•6 years ago
|
||
Yeah, I think it's more because of the localhost part. We might still want to fix it.
Assignee | ||
Comment 5•6 years ago
|
||
Ok, Dan is right this is not related to hostname issues, but because we seem to take a different code path for prompting with ftp: https://searchfox.org/mozilla-central/source/netwerk/protocol/ftp/nsFtpConnectionThread.cpp#758
Gah.
Comment 6•6 years ago
|
||
See also bug 565582 comment 0. The auth prompt story is messy.
Comment 7•6 years ago
|
||
(In reply to Johann Hofmann [:johannh] from comment #5)
Ok, Dan is right this is not related to hostname issues, but because we seem to take a different code path for prompting with ftp: https://searchfox.org/mozilla-central/source/netwerk/protocol/ftp/nsFtpConnectionThread.cpp#758
Gah.
Could we move FTP over to use the same stuff as HTTP? Presumably the mChannel reference here could be used to find the loadgroup and document / tabchild etc.
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Assignee | ||
Comment 11•6 years ago
|
||
This also changes the name of 'canceledAuthenticationPromptCounter' to account for the
fact that we no longer count up when the prompt was cancelled, but when it was shown.
Assignee | ||
Comment 12•6 years ago
|
||
![]() |
||
Comment 13•6 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/6933acee1ad9aba811d05eb9d820d9397f45bd2a
https://hg.mozilla.org/mozilla-central/rev/6933acee1ad9
Assignee | ||
Comment 14•6 years ago
|
||
Considering that this is really just an extension of bug 377496 and they were both fixed in the same release, we can probably unhide this. Do you agree, Dan?
Comment 15•6 years ago
|
||
(In reply to Johann Hofmann [:johannh] from comment #14)
Considering that this is really just an extension of bug 377496 and they were both fixed in the same release, we can probably unhide this. Do you agree, Dan?
bug 1523249 is still hidden though, and this fix is related. It's probably too late to upload all the auth fixes to 66, but I'd be more comfortable holding off on opening this up for a bit...
Assignee | ||
Comment 16•6 years ago
|
||
(In reply to :Gijs (he/him) from comment #15)
(In reply to Johann Hofmann [:johannh] from comment #14)
Considering that this is really just an extension of bug 377496 and they were both fixed in the same release, we can probably unhide this. Do you agree, Dan?
bug 1523249 is still hidden though, and this fix is related. It's probably too late to upload all the auth fixes to 66, but I'd be more comfortable holding off on opening this up for a bit...
Ok, fair enough, I think you're right. Let's keep it hidden for now.
Comment 17•6 years ago
|
||
(In reply to :Gijs (he/him) from comment #9)
I expect you could reproduce this issue if you hosted the html page on http:, but sourced images over ftp:.
No, we disabled that in Firefox 61 (bug 1404744).
Comment 18•6 years ago
|
||
Should this (and bug 377496) be nominated for Beta uplift?
Assignee | ||
Comment 19•6 years ago
|
||
Asked for uplift in the other bug, do you need another request in this bug?
Assignee | ||
Comment 21•6 years ago
|
||
Comment on attachment 9047668 [details]
Bug 1525267 - Move auth prompt rate limiting to nsIAuthPrompt2.promptAuth. r=MattN
Beta/Release Uplift Approval Request
- Feature/Bug causing the regression: None
- User impact if declined: Protections introduced in bug 377496 can be worked around by using FTP
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: See comment 0, also, we should check that HTML basic auth sites are still working as expected.
- List of other uplifts needed: Bug 377496
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): This is basically just moving some code that has well baked in bug 377496 and we have tests for the http variant, but it still hasn't baked a lot on Nightly
- String changes made/needed: None
Comment 22•6 years ago
|
||
Comment on attachment 9047668 [details]
Bug 1525267 - Move auth prompt rate limiting to nsIAuthPrompt2.promptAuth. r=MattN
Uplift along with the patch in bug 377496.
![]() |
||
Comment 23•6 years ago
|
||
Updated•6 years ago
|
Updated•6 years ago
|
Reporter | ||
Comment 24•6 years ago
|
||
I can confirm that this issue is fixed (also checked several HTML basic auth sites) on Windows 10 x64 with 66.0b14 and 67.0a1(2019-03-07).
Assignee | ||
Comment 25•6 years ago
|
||
Awesome, thanks!
Updated•6 years ago
|
Updated•6 years ago
|
Updated•5 years ago
|
Description
•