Last Comment Bug 313856 - Image properties show used password in clear text
: Image properties show used password in clear text
Status: NEW
: privacy
Product: Firefox
Classification: Client Software
Component: Security (show other bugs)
: Trunk
: All All
: -- major with 1 vote (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
:
:
Mentors:
http://user:password@www.google.com/
Depends on:
Blocks: 130327
  Show dependency treegraph
 
Reported: 2005-10-26 02:32 PDT by Manuel Strehl
Modified: 2011-02-04 00:31 PST (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Manuel Strehl 2005-10-26 02:32:36 PDT
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20051004 Firefox/1.0.4 (Debian package 1.0.4-2sarge5-rex1)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20051004 Firefox/1.0.4 (Debian package 1.0.4-2sarge5-rex1)

If you log in using the HTTP-Request method, the "user:pwd@" part is hidden in the navigation bar. But if you look at the properties of an element within the site (e.g. an <img>) you see in the location field the password in clear text.

This is very serious in case you log in to a page and then let someone else just navigate a bit.

Reproducible: Always

Steps to Reproduce:
1. Go to any page with HTTP-Request
2. Click with right on a picture, select "properties"
3. The field "location" shows the full URL: http://user:pwd@www.example.com/test.png

Actual Results:  
Nothing, I hope!

Expected Results:  
Not show the password at all. The location should be sth. like
http://www.example.com/test.png
Comment 1 Manuel Strehl 2005-10-26 07:53:17 PDT
Update:

This bug only appears, if you log in by explicitly typing the domain, e.g. typing http://user:pwd@example.com, to the location bar.
Comment 2 Daniel Veditz [:dveditz] 2005-10-26 08:38:50 PDT
Known issue, there must be a dupe somewhere
Comment 3 Daniel Veditz [:dveditz] 2005-10-26 08:43:22 PDT
sorry, not networking -- this could be resolved in the various properties dialogs by using FixupURI. Back to Firefox UI
Comment 4 Jesse Ruderman 2005-10-26 20:10:44 PDT
Confirmed using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051026 Firefox/1.5.

Is there a general solution that doesn't require remembering to use FixupURI everywhere URLs are displayed?  What would break if the URL of the loaded page didn't have username:password in it?  What else does FixupURI do?
Comment 5 Josh Triplett 2011-02-04 00:31:59 PST
Still appears present in Firefox 4 betas.

Note You need to log in before you can comment on or make changes to this bug.