Open
Bug 338917
Opened 18 years ago
Updated 7 months ago
network.negotiate-auth.trusted-uris user_pref broken
Categories
(Firefox :: Settings UI, defect)
Tracking
()
UNCONFIRMED
People
(Reporter: mba2000, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1 If you use something like the following user_pref: user_pref("network.negotiate-auth.trusted-uris", "foo.net,https://foo.bar"); and you're accessing a site in the foo.net domain the HttpNegotiateAuth extension does not attempt to perform WWW-Authenticate: Negotiate authentication. If you use just 'foo.net' it works. The code in question is here: http://lxr.mozilla.org/seamonkey/source/extensions/auth/nsHttpNegotiateAuth.cpp#390 At first, I thought I spotted it right away: 431 const char *end = matchHost.EndReading(); 432 if (PL_strncasecmp(end - hostLen, hostStart, hostLen) == 0) { 433 // if matchHost ends with host from the base URI, then make sure it is 434 // either an exact match, or prefixed with a dot. we don't want 435 // "foobar.com" to match "bar.com" 436 if (matchHost.Length() == hostLen || 437 *(end - hostLen) == '.' || 438 *(end - hostLen - 1) == '.') 439 return PR_TRUE; This says the needle must match the haystack exactly or begin with a '.' or the character preceeding the first character must be a '.'. But I tried: foo.net,https://.foo.bar and it still didn't work. So I'm not sure what the problem. Note you have to restart the browser after editing prefs.js. Also, in searching bugzilla I've seen a number of references to this bug that don't quite identify the problem. Meaning there's one about wildcards not working (yeah, no wildcards at work here [1]) and another about Kerberos being broken when in fact it was actually just this bug. Mike [1] Here's a super simple but suprisingly correct dos style '*' and '?' wildcard matching function: http://www.codeproject.com/string/wildcmp.asp Reproducible: Always
Comment 1•17 years ago
|
||
Reporter, do you still see this problem with the latest Firefox 2? If not, can you please close this bug as WORKSFORME. Thanks!
Version: unspecified → 1.5.0.x Branch
Comment 2•16 years ago
|
||
Though I'm not the original reporter, this fails for me in FF 2.0.0.14 (both Windows and Mac). There doesn't seem to be a way to use a generic URI and "https://".
Comment 3•14 years ago
|
||
This bug was originally reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.6 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Otherwise, please close as RESOLVED > WORKSFORME http://www.mozilla.com http://support.mozilla.com/kb/Managing+profiles http://support.mozilla.com/kb/Safe+mode
Whiteboard: [CLOSEME 2010-07-30]
Comment 4•14 years ago
|
||
I can confirm that this bug is still present in 3.6.6 (Ubuntu) The bug is actually pretty simple. In http://mxr.mozilla.org/firefox/source/extensions/auth/nsHttpNegotiateAuth.cpp you have: 389 PRBool 390 nsHttpNegotiateAuth::MatchesBaseURI(const nsCSubstring &matchScheme, 391 const nsCSubstring &matchHost, 392 PRInt32 matchPort, 393 const char *baseStart, 394 const char *baseEnd) 395 { 396 // check if scheme://host:port matches baseURI 397 398 // parse the base URI 399 const char *hostStart, *schemeEnd = strstr(baseStart, "://"); So you get everything before // as the protocol. in the same file: 335 PRBool 336 nsHttpNegotiateAuth::TestPref(nsIURI *uri, const char *pref) ... 368 char *start = hostList, *end; 369 for (;;) { 370 // skip past any whitespace 371 while (*start == ' ' || *start == '\t') 372 ++start; 373 end = strchr(start, ','); 374 if (!end) 375 end = start + strlen(start); 376 if (start == end) 377 break; 378 if (MatchesBaseURI(scheme, host, port, start, end)) 379 return PR_TRUE; 380 if (*end == '\0') 381 break; 382 start = end + 1; 383 } Note that it passes the end pointer, but the first function's strstr doesn't use it. So for an input like "foo.com, https://" the first function receives the whole line and decides that the protocol substring is "foo.com, https://" (Everything before the //) The workaround is simple, just enter "http://foo.com, https://foo.com, https://". The fix should be simple too: 373 end = strchr(start, ','); 374 if (!end) 375 end = start + strlen(start); 376 if (start == end) 377 break; 387.1 + bool last = (*end == '\0'); 387.2 + *end = 0; 378 if (MatchesBaseURI(scheme, host, port, start, end)) 379 return PR_TRUE; 380 ! if (last) 381 break; 382 start = end + 1; 383 } That is, make sure to pass a single URI to the match function.
Updated•14 years ago
|
Whiteboard: [CLOSEME 2010-07-30]
Version: 1.5.0.x Branch → 3.6 Branch
Updated•2 years ago
|
Severity: normal → S3
Using Okta as a SSO engine, Firefox before 118 version update was able to successfully logged in via our SSO policy with the urls entered in network.negotiate-auth.trusted-uris setting. Version 118 and onwards it does not work, but conitnues to work with Chrome. So we are assuming there is handoff bug in here somewhere..
You need to log in
before you can comment on or make changes to this bug.
Description
•