Image properties show used password in clear text

NEW
Assigned to

Status

()

Firefox
Security
--
major
12 years ago
6 years ago

People

(Reporter: Manuel Strehl, Assigned: dveditz)

Tracking

(Blocks: 1 bug, {privacy})

Trunk
privacy
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20051004 Firefox/1.0.4 (Debian package 1.0.4-2sarge5-rex1)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20051004 Firefox/1.0.4 (Debian package 1.0.4-2sarge5-rex1)

If you log in using the HTTP-Request method, the "user:pwd@" part is hidden in the navigation bar. But if you look at the properties of an element within the site (e.g. an <img>) you see in the location field the password in clear text.

This is very serious in case you log in to a page and then let someone else just navigate a bit.

Reproducible: Always

Steps to Reproduce:
1. Go to any page with HTTP-Request
2. Click with right on a picture, select "properties"
3. The field "location" shows the full URL: http://user:pwd@www.example.com/test.png

Actual Results:  
Nothing, I hope!

Expected Results:  
Not show the password at all. The location should be sth. like
http://www.example.com/test.png
(Reporter)

Comment 1

12 years ago
Update:

This bug only appears, if you log in by explicitly typing the domain, e.g. typing http://user:pwd@example.com, to the location bar.
(Assignee)

Comment 2

12 years ago
Known issue, there must be a dupe somewhere
Assignee: nobody → darin
Group: security
Status: UNCONFIRMED → NEW
Component: Security → Networking: HTTP
Ever confirmed: true
Keywords: privacy
Product: Firefox → Core
QA Contact: firefox → networking.http
Whiteboard: DUPEME
Version: unspecified → Trunk
(Assignee)

Comment 3

12 years ago
sorry, not networking -- this could be resolved in the various properties dialogs by using FixupURI. Back to Firefox UI
Assignee: darin → dveditz
Blocks: 130327
Component: Networking: HTTP → Security
Product: Core → Firefox
Whiteboard: DUPEME
OS: Linux → All
QA Contact: networking.http → firefox

Comment 4

12 years ago
Confirmed using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051026 Firefox/1.5.

Is there a general solution that doesn't require remembering to use FixupURI everywhere URLs are displayed?  What would break if the URL of the loaded page didn't have username:password in it?  What else does FixupURI do?

Comment 5

6 years ago
Still appears present in Firefox 4 betas.
You need to log in before you can comment on or make changes to this bug.