Open Bug 338917 Opened 19 years ago Updated 2 years ago

network.negotiate-auth.trusted-uris user_pref broken

Categories

(Firefox :: Settings UI, defect)

Product:
Firefox
Component:
Settings UI
Version:
3.6 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: mba2000, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1 If you use something like the following user_pref: user_pref("network.negotiate-auth.trusted-uris", "foo.net,https://foo.bar"); and you're accessing a site in the foo.net domain the HttpNegotiateAuth extension does not attempt to perform WWW-Authenticate: Negotiate authentication. If you use just 'foo.net' it works. The code in question is here: http://lxr.mozilla.org/seamonkey/source/extensions/auth/nsHttpNegotiateAuth.cpp#390 At first, I thought I spotted it right away: 431 const char *end = matchHost.EndReading(); 432 if (PL_strncasecmp(end - hostLen, hostStart, hostLen) == 0) { 433 // if matchHost ends with host from the base URI, then make sure it is 434 // either an exact match, or prefixed with a dot. we don't want 435 // "foobar.com" to match "bar.com" 436 if (matchHost.Length() == hostLen || 437 *(end - hostLen) == '.' || 438 *(end - hostLen - 1) == '.') 439 return PR_TRUE; This says the needle must match the haystack exactly or begin with a '.' or the character preceeding the first character must be a '.'. But I tried: foo.net,https://.foo.bar and it still didn't work. So I'm not sure what the problem. Note you have to restart the browser after editing prefs.js. Also, in searching bugzilla I've seen a number of references to this bug that don't quite identify the problem. Meaning there's one about wildcards not working (yeah, no wildcards at work here [1]) and another about Kerberos being broken when in fact it was actually just this bug. Mike [1] Here's a super simple but suprisingly correct dos style '*' and '?' wildcard matching function: http://www.codeproject.com/string/wildcmp.asp Reproducible: Always
Reporter, do you still see this problem with the latest Firefox 2? If not, can you please close this bug as WORKSFORME. Thanks!
Version: unspecified → 1.5.0.x Branch
Though I'm not the original reporter, this fails for me in FF 2.0.0.14 (both Windows and Mac). There doesn't seem to be a way to use a generic URI and "https://".
This bug was originally reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.6 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Otherwise, please close as RESOLVED > WORKSFORME http://www.mozilla.com http://support.mozilla.com/kb/Managing+profiles http://support.mozilla.com/kb/Safe+mode
Whiteboard: [CLOSEME 2010-07-30]
I can confirm that this bug is still present in 3.6.6 (Ubuntu) The bug is actually pretty simple. In http://mxr.mozilla.org/firefox/source/extensions/auth/nsHttpNegotiateAuth.cpp you have: 389 PRBool 390 nsHttpNegotiateAuth::MatchesBaseURI(const nsCSubstring &matchScheme, 391 const nsCSubstring &matchHost, 392 PRInt32 matchPort, 393 const char *baseStart, 394 const char *baseEnd) 395 { 396 // check if scheme://host:port matches baseURI 397 398 // parse the base URI 399 const char *hostStart, *schemeEnd = strstr(baseStart, "://"); So you get everything before // as the protocol. in the same file: 335 PRBool 336 nsHttpNegotiateAuth::TestPref(nsIURI *uri, const char *pref) ... 368 char *start = hostList, *end; 369 for (;;) { 370 // skip past any whitespace 371 while (*start == ' ' || *start == '\t') 372 ++start; 373 end = strchr(start, ','); 374 if (!end) 375 end = start + strlen(start); 376 if (start == end) 377 break; 378 if (MatchesBaseURI(scheme, host, port, start, end)) 379 return PR_TRUE; 380 if (*end == '\0') 381 break; 382 start = end + 1; 383 } Note that it passes the end pointer, but the first function's strstr doesn't use it. So for an input like "foo.com, https://" the first function receives the whole line and decides that the protocol substring is "foo.com, https://" (Everything before the //) The workaround is simple, just enter "http://foo.com, https://foo.com, https://". The fix should be simple too: 373 end = strchr(start, ','); 374 if (!end) 375 end = start + strlen(start); 376 if (start == end) 377 break; 387.1 + bool last = (*end == '\0'); 387.2 + *end = 0; 378 if (MatchesBaseURI(scheme, host, port, start, end)) 379 return PR_TRUE; 380 ! if (last) 381 break; 382 start = end + 1; 383 } That is, make sure to pass a single URI to the match function.
Whiteboard: [CLOSEME 2010-07-30]
Version: 1.5.0.x Branch → 3.6 Branch
Severity: normal → S3

Using Okta as a SSO engine, Firefox before 118 version update was able to successfully logged in via our SSO policy with the urls entered in network.negotiate-auth.trusted-uris setting. Version 118 and onwards it does not work, but conitnues to work with Chrome. So we are assuming there is handoff bug in here somewhere..

You need to log in before you can comment on or make changes to this bug.