Closed
Bug 186695
Opened 22 years ago
Closed 20 years ago
[FIX]FTP/HTTP password printed as part of URL
Categories
(Core :: Printing: Output, defect, P1)
Core
Printing: Output
Tracking
()
RESOLVED
FIXED
mozilla1.8beta2
People
(Reporter: mozilla, Assigned: bzbarsky)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
1.83 KB,
patch
|
jst
:
review+
darin.moz
:
superreview+
|
Details | Diff | Splinter Review |
When a password-protected FTP or HTTP resource is accessed via
ftp://user:password@host/ method, and then printed, the password is printed as
part of the URL. This creates a security risk, as the user does not notice that
his or her password is printed along with the page, and may share or submit the
hardcopy (with the password) to an untrusted third party.
Steps to reproduce:
1. Go to a ftp://user:password@host/dir/file URL.
2. Print the file (or do a print preview).
3. See the password in the printed page.
Expected results:
Password is masked or removed entirely.
Actual results:
Secret password revealed in printed material.
Comment 1•22 years ago
|
||
Bug 88771 and bug 130327 are related.
Comment 2•22 years ago
|
||
nsbeta1+
-> jkeiser
Reporter | ||
Comment 3•22 years ago
|
||
Can someone point me to the code which deals with putting the URL on the printed
page?
Comment 4•21 years ago
|
||
Confirming in 1.4.1/1.5 release versions / win32.
Comment 5•20 years ago
|
||
This bug seems still be present in Mozilla Firefox 1.0 Win
Comment 6•20 years ago
|
||
My guess is that the code that would need to be changed lies in:
http://lxr.mozilla.org/mozilla/source/layout/printing/nsPrintEngine.cpp#2077
Comment 7•20 years ago
|
||
*** Bug 278513 has been marked as a duplicate of this bug. ***
Comment 8•20 years ago
|
||
Bug 280438 is similar and is blocking aviary1.1
Flags: blocking1.8b?
Flags: blocking-aviary1.1?
Comment 9•20 years ago
|
||
(In reply to comment #6)
> http://lxr.mozilla.org/mozilla/source/layout/printing/nsPrintEngine.cpp#2077
Alternatively, we can fix two implementations of them. Are ftp and http(s) the
only schemes we have to worry about?
too late for 1.8b1, but we should get this for 1.8b2.
Flags: blocking1.8b?
Flags: blocking1.8b2+
Flags: blocking1.8b-
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1+
Comment 11•20 years ago
|
||
it seems that there are 3 situations. if u put the username and password in the
address bar, the username and password shows up at the top of the printed page.
if u only put the username in the address bar and fill in the alert box with ur
password, only ur username appears on the printed page. if u put neither in the
address bar and fill in the alert box with both, neither appear at the top of
the printed page.
so its not putting ur username and password at the top.. per se. its just
putting whatever u put in the address bar. temporary fix, dont put ur username
and password in the address bar. just fill in the alert box.
Assignee | ||
Comment 12•20 years ago
|
||
Assignee: john → bzbarsky
Status: NEW → ASSIGNED
Attachment #177401 -
Flags: superreview?(darin)
Attachment #177401 -
Flags: review?(jst)
Assignee | ||
Updated•20 years ago
|
Summary: FTP/HTTP password printed as part of URL → [FIX]FTP/HTTP password printed as part of URL
Target Milestone: mozilla1.4alpha → mozilla1.8beta2
Updated•20 years ago
|
Attachment #177401 -
Flags: superreview?(darin) → superreview+
Comment 13•20 years ago
|
||
Comment on attachment 177401 [details] [diff] [review]
Simple fix
r=jst
Attachment #177401 -
Flags: review?(jst) → review+
Assignee | ||
Comment 14•20 years ago
|
||
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment 15•20 years ago
|
||
*** Bug 292876 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•