Open Bug 338917 Opened 17 years ago Updated 5 months ago

network.negotiate-auth.trusted-uris user_pref broken

Categories

(Firefox :: Settings UI, defect)

Product:
Firefox
Component:
Settings UI
Version:
3.6 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: mba2000, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1

If you use something like the following user_pref:

  user_pref("network.negotiate-auth.trusted-uris", "foo.net,https://foo.bar");

and you're accessing a site in the foo.net domain the HttpNegotiateAuth extension does not attempt to perform WWW-Authenticate: Negotiate authentication. If you use just 'foo.net' it works.

The code in question is here:
  http://lxr.mozilla.org/seamonkey/source/extensions/auth/nsHttpNegotiateAuth.cpp#390

At first, I thought I spotted it right away:

431     const char *end = matchHost.EndReading();
432     if (PL_strncasecmp(end - hostLen, hostStart, hostLen) == 0) {
433         // if matchHost ends with host from the base URI, then make sure it is
434         // either an exact match, or prefixed with a dot.  we don't want
435         // "foobar.com" to match "bar.com"
436         if (matchHost.Length() == hostLen ||
437             *(end - hostLen) == '.' ||
438             *(end - hostLen - 1) == '.')
439             return PR_TRUE;

This says the needle must match the haystack exactly or begin with a '.' or the character preceeding the first character must be a '.'. But I tried:

  foo.net,https://.foo.bar

and it still didn't work. So I'm not sure what the problem.

Note you have to restart the browser after editing prefs.js.

Also, in searching bugzilla I've seen a number of references to this bug that don't quite identify the problem. Meaning there's one about wildcards not working (yeah, no wildcards at work here [1]) and another about Kerberos being broken when in fact it was actually just this bug.

Mike

[1] Here's a super simple but suprisingly correct dos style '*' and '?' wildcard  matching function: http://www.codeproject.com/string/wildcmp.asp

Reproducible: Always
Reporter, do you still see this problem with the latest Firefox 2? If not, can you please close this bug as WORKSFORME. Thanks!
Version: unspecified → 1.5.0.x Branch
Though I'm not the original reporter, this fails for me in FF 2.0.0.14 (both Windows and Mac).  There doesn't seem to be a way to use a generic URI and "https://".
This bug was originally reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.6 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Otherwise, please close as RESOLVED > WORKSFORME
http://www.mozilla.com
http://support.mozilla.com/kb/Managing+profiles
http://support.mozilla.com/kb/Safe+mode
Whiteboard: [CLOSEME 2010-07-30]
I can confirm that this bug is still present in 3.6.6 (Ubuntu)

The bug is actually pretty simple. In http://mxr.mozilla.org/firefox/source/extensions/auth/nsHttpNegotiateAuth.cpp you have:
389 PRBool
390 nsHttpNegotiateAuth::MatchesBaseURI(const nsCSubstring &matchScheme,
391                                     const nsCSubstring &matchHost,
392                                     PRInt32             matchPort,
393                                     const char         *baseStart,
394                                     const char         *baseEnd)
395 {
396     // check if scheme://host:port matches baseURI
397 
398     // parse the base URI
399     const char *hostStart, *schemeEnd = strstr(baseStart, "://");

So you get everything before // as the protocol.

in the same file:
335 PRBool
336 nsHttpNegotiateAuth::TestPref(nsIURI *uri, const char *pref)
...
368     char *start = hostList, *end;
369     for (;;) {
370         // skip past any whitespace
371         while (*start == ' ' || *start == '\t')
372             ++start;
373         end = strchr(start, ',');
374         if (!end)
375             end = start + strlen(start);
376         if (start == end)
377             break;
378         if (MatchesBaseURI(scheme, host, port, start, end))
379             return PR_TRUE;
380         if (*end == '\0')
381             break;
382         start = end + 1;
383     }

Note that it passes the end pointer, but the first function's strstr doesn't use it. So for an input like "foo.com, https://" the first function receives the whole line and decides that the protocol substring is "foo.com, https://" (Everything before the //)

The workaround is simple, just enter "http://foo.com, https://foo.com, https://". 

The fix should be simple too:

373         end = strchr(start, ',');
374         if (!end)
375             end = start + strlen(start);
376         if (start == end)
377             break;
387.1 +     bool last = (*end == '\0');
387.2 +     *end = 0;
378         if (MatchesBaseURI(scheme, host, port, start, end))
379             return PR_TRUE;
380   !     if (last)
381             break;
382         start = end + 1;
383     }

That is, make sure to pass a single URI to the match function.
Whiteboard: [CLOSEME 2010-07-30]
Version: 1.5.0.x Branch → 3.6 Branch
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.