Closed
Bug 313856
Opened 19 years ago
Closed 3 years ago
Image properties show used password in clear text
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: bugzilla, Assigned: dveditz)
References
()
Details
(Keywords: privacy)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20051004 Firefox/1.0.4 (Debian package 1.0.4-2sarge5-rex1) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20051004 Firefox/1.0.4 (Debian package 1.0.4-2sarge5-rex1) If you log in using the HTTP-Request method, the "user:pwd@" part is hidden in the navigation bar. But if you look at the properties of an element within the site (e.g. an <img>) you see in the location field the password in clear text. This is very serious in case you log in to a page and then let someone else just navigate a bit. Reproducible: Always Steps to Reproduce: 1. Go to any page with HTTP-Request 2. Click with right on a picture, select "properties" 3. The field "location" shows the full URL: http://user:pwd@www.example.com/test.png Actual Results: Nothing, I hope! Expected Results: Not show the password at all. The location should be sth. like http://www.example.com/test.png
Reporter | ||
Comment 1•19 years ago
|
||
Update: This bug only appears, if you log in by explicitly typing the domain, e.g. typing http://user:pwd@example.com, to the location bar.
Assignee | ||
Comment 2•19 years ago
|
||
Known issue, there must be a dupe somewhere
Assignee: nobody → darin
Group: security
Status: UNCONFIRMED → NEW
Component: Security → Networking: HTTP
Ever confirmed: true
Keywords: privacy
Product: Firefox → Core
QA Contact: firefox → networking.http
Whiteboard: DUPEME
Version: unspecified → Trunk
Assignee | ||
Comment 3•19 years ago
|
||
sorry, not networking -- this could be resolved in the various properties dialogs by using FixupURI. Back to Firefox UI
Assignee: darin → dveditz
Blocks: 130327
Component: Networking: HTTP → Security
Product: Core → Firefox
Whiteboard: DUPEME
Updated•19 years ago
|
OS: Linux → All
QA Contact: networking.http → firefox
Comment 4•19 years ago
|
||
Confirmed using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051026 Firefox/1.5. Is there a general solution that doesn't require remembering to use FixupURI everywhere URLs are displayed? What would break if the URL of the loaded page didn't have username:password in it? What else does FixupURI do?
Comment 5•13 years ago
|
||
Still appears present in Firefox 4 betas.
Comment 6•3 years ago
|
||
Hey Manuel,
Can you still reproduce this issue or should we close it?
Flags: needinfo?(bugzilla)
Reporter | ||
Comment 7•3 years ago
|
||
I’ve tested it quickly locally, and as far as I can tell the problem seams to be fixed. Thank you for checking!
Flags: needinfo?(bugzilla)
Comment 8•3 years ago
|
||
Closing this as Resolved > Worksforme based on the last comment.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•