Open Bug 338917 Opened 18 years ago Updated 7 months ago

network.negotiate-auth.trusted-uris user_pref broken

Categories

(Firefox :: Settings UI, defect)

Product:
Firefox
Component:
Settings UI
Version:
3.6 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: mba2000, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1

If you use something like the following user_pref:

  user_pref("network.negotiate-auth.trusted-uris", "foo.net,https://foo.bar");

and you're accessing a site in the foo.net domain the HttpNegotiateAuth extension does not attempt to perform WWW-Authenticate: Negotiate authentication. If you use just 'foo.net' it works.

The code in question is here:
  http://lxr.mozilla.org/seamonkey/source/extensions/auth/nsHttpNegotiateAuth.cpp#390

At first, I thought I spotted it right away:

431     const char *end = matchHost.EndReading();
432     if (PL_strncasecmp(end - hostLen, hostStart, hostLen) == 0) {
433         // if matchHost ends with host from the base URI, then make sure it is
434         // either an exact match, or prefixed with a dot.  we don't want
435         // "foobar.com" to match "bar.com"
436         if (matchHost.Length() == hostLen ||
437             *(end - hostLen) == '.' ||
438             *(end - hostLen - 1) == '.')
439             return PR_TRUE;

This says the needle must match the haystack exactly or begin with a '.' or the character preceeding the first character must be a '.'. But I tried:

  foo.net,https://.foo.bar

and it still didn't work. So I'm not sure what the problem.

Note you have to restart the browser after editing prefs.js.

Also, in searching bugzilla I've seen a number of references to this bug that don't quite identify the problem. Meaning there's one about wildcards not working (yeah, no wildcards at work here [1]) and another about Kerberos being broken when in fact it was actually just this bug.

Mike

[1] Here's a super simple but suprisingly correct dos style '*' and '?' wildcard  matching function: http://www.codeproject.com/string/wildcmp.asp

Reproducible: Always
Reporter, do you still see this problem with the latest Firefox 2? If not, can you please close this bug as WORKSFORME. Thanks!
Version: unspecified → 1.5.0.x Branch
Though I'm not the original reporter, this fails for me in FF 2.0.0.14 (both Windows and Mac).  There doesn't seem to be a way to use a generic URI and "https://".
This bug was originally reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.6 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Otherwise, please close as RESOLVED > WORKSFORME
http://www.mozilla.com
http://support.mozilla.com/kb/Managing+profiles
http://support.mozilla.com/kb/Safe+mode
Whiteboard: [CLOSEME 2010-07-30]
I can confirm that this bug is still present in 3.6.6 (Ubuntu)

The bug is actually pretty simple. In http://mxr.mozilla.org/firefox/source/extensions/auth/nsHttpNegotiateAuth.cpp you have:
389 PRBool
390 nsHttpNegotiateAuth::MatchesBaseURI(const nsCSubstring &matchScheme,
391                                     const nsCSubstring &matchHost,
392                                     PRInt32             matchPort,
393                                     const char         *baseStart,
394                                     const char         *baseEnd)
395 {
396     // check if scheme://host:port matches baseURI
397 
398     // parse the base URI
399     const char *hostStart, *schemeEnd = strstr(baseStart, "://");

So you get everything before // as the protocol.

in the same file:
335 PRBool
336 nsHttpNegotiateAuth::TestPref(nsIURI *uri, const char *pref)
...
368     char *start = hostList, *end;
369     for (;;) {
370         // skip past any whitespace
371         while (*start == ' ' || *start == '\t')
372             ++start;
373         end = strchr(start, ',');
374         if (!end)
375             end = start + strlen(start);
376         if (start == end)
377             break;
378         if (MatchesBaseURI(scheme, host, port, start, end))
379             return PR_TRUE;
380         if (*end == '\0')
381             break;
382         start = end + 1;
383     }

Note that it passes the end pointer, but the first function's strstr doesn't use it. So for an input like "foo.com, https://" the first function receives the whole line and decides that the protocol substring is "foo.com, https://" (Everything before the //)

The workaround is simple, just enter "http://foo.com, https://foo.com, https://". 

The fix should be simple too:

373         end = strchr(start, ',');
374         if (!end)
375             end = start + strlen(start);
376         if (start == end)
377             break;
387.1 +     bool last = (*end == '\0');
387.2 +     *end = 0;
378         if (MatchesBaseURI(scheme, host, port, start, end))
379             return PR_TRUE;
380   !     if (last)
381             break;
382         start = end + 1;
383     }

That is, make sure to pass a single URI to the match function.
Whiteboard: [CLOSEME 2010-07-30]
Version: 1.5.0.x Branch → 3.6 Branch
Severity: normal → S3

Using Okta as a SSO engine, Firefox before 118 version update was able to successfully logged in via our SSO policy with the urls entered in network.negotiate-auth.trusted-uris setting. Version 118 and onwards it does not work, but conitnues to work with Chrome. So we are assuming there is handoff bug in here somewhere..

You need to log in before you can comment on or make changes to this bug.