Closed Bug 44299 Opened 25 years ago Closed 25 years ago

Inappropriate prompt for master password

Categories

(Core Graveyard :: Security: UI, defect, P3)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Windows NT
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: morse, Assigned: thayes0993)

References

Details

(Whiteboard: [nsbeta3+])

Under the following scenario I get a prompt for the master password after I have just changed the master password: 1. Create a new profile and bring up the browser 2. Go to http://people.netscape.com/morse/password.htm 3. Fill in any arbitrary username and password, then submit form 4. Answer "yes" to the "do you want to save" dialog 5. Dismiss the encryption-disclaimer dialog 6. Dismiss the security-alert dialog 7. From the menu select tasks->privacy->password-manager->encrypt 8. PSM dialog for creating master password appears. Enter password and press OK 9. Security alert appears (this is bug 44044). Click OK 10. Security alert appears again (more bug 44044). Click OK again. 11. Exit and reenter browser 12. From the menu select tasks->privacy->password-manager->change-password 13. Change of password dialog comes up (contrast this to bug 44291). 14. Fill in the password fields and click OK Before the change dialog gets dismissed, another dialog comes up asking you to enter your master password. This dialog is inappropriate!
Status: NEW → ASSIGNED
Keywords: nsbeta3
Blocks: 48444
Can no longer demonstrate this bug. Because of bug 50731 we now hang after performing step 7. Stacktrace at point of hang is included in bug 50731.
Depends on: 50731
OK, 50731 is out of the way so I can demonstrate this bug once again. Here is the stacktrace when the inappropriate prompt for master password comes up: nsXULWindow::ShowModal(nsXULWindow * const 0x039b3a40) line 229 + 31 bytes nsWebShellWindow::ShowModal(nsWebShellWindow * const 0x039b3a40) line 1101 nsChromeTreeOwner::ShowModal(nsChromeTreeOwner * const 0x039b4fd0) line 182 GlobalWindowImpl::OpenInternal(GlobalWindowImpl * const 0x01b09260, JSContext * 0x01b09060, long * 0x03210ecc, unsigned int 4, int 1, nsIDOMWindow * * 0x0012cc58) line 2972 GlobalWindowImpl::OpenDialog(GlobalWindowImpl * const 0x01b09264, JSContext * 0x01b09060, long * 0x03210ecc, unsigned int 4, nsIDOMWindow * * 0x0012cc58) line 1912 nsCommonDialogs::DoDialog(nsCommonDialogs * const 0x02537df0, nsIDOMWindow * 0x01b09264, nsIDialogParamBlock * 0x039af8a0, const char * 0x00e97668) line 453 + 49 bytes nsCommonDialogs::UniversalDialog(nsCommonDialogs * const 0x02537df0, nsIDOMWindow * 0x01b09264, const unsigned short * 0x00000000, const unsigned short * 0x039af900, const unsigned short * 0x039b8d50, const unsigned short * 0x00000000, const unsigned short * 0x00000000, const unsigned short * 0x00000000, const unsigned short * 0x00000000, const unsigned short * 0x00000000, ...) lin nsDOMWindowPrompter::UniversalDialog(nsDOMWindowPrompter * const 0x039bed20, const unsigned short * 0x00000000, const unsigned short * 0x039af900, const unsigned short * 0x039b8d50, const unsigned short * 0x00000000, const unsigned short * 0x00000000, const unsigned short * 0x00000000, const unsigned short * 0x00000000, const unsigned short * 0x00000000, ...) line 1961 + 110 bytes si_CheckGetPassword(unsigned short * * 0x0012d2d4, const unsigned short * 0x00000000, const unsigned short * 0x039b8d50, nsIPrompt * 0x039bed20, unsigned int 0, int * 0x0012d000) line 422 + 60 bytes SINGSIGN_PromptPassword(const unsigned short * 0x00000000, const unsigned short * 0x039b8d50, unsigned short * * 0x0012d2d4, const char * 0x0012d0e0, nsIPrompt * 0x039bed20, int * 0x0012d2e4, unsigned int 0) line 2321 + 32 bytes nsSingleSignOnPrompt::PromptPassword(nsSingleSignOnPrompt * const 0x039bd0d0, const unsigned short * 0x00000000, const unsigned short * 0x039b8d50, const unsigned short * 0x0012d234, unsigned int 0, unsigned short * * 0x0012d2d4, int * 0x0012d2e4) line 480 + 47 bytes nsNetSupportDialog::PromptPassword(nsNetSupportDialog * const 0x03bbc290, const unsigned short * 0x00000000, const unsigned short * 0x039b8d50, const unsigned short * 0x0012d234, unsigned int 0, unsigned short * * 0x0012d2d4, int * 0x0012d2e4) line 187 + 47 bytes PromptUserCallback(void * 0x00000000, char * 0x039b8e80, int 0) line 323 + 75 bytes CMT_ServicePasswordRequest(_CMT_CONTROL * 0x037185e0, CMTItemStr * 0x0012d3f8) line 76 + 23 bytes CMT_DispatchEvent(_CMT_CONTROL * 0x037185e0, CMTItemStr * 0x0012d3f8) line 461 + 13 bytes CMT_ReadMessageDispatchEvents(_CMT_CONTROL * 0x037185e0, CMTItemStr * 0x0012d3f8) line 274 + 13 bytes CMT_SendMessage(_CMT_CONTROL * 0x037185e0, CMTItemStr * 0x0012d3f8) line 312 + 13 bytes tmp_SendMessage(_CMT_CONTROL * 0x037185e0, CMTItemStr * 0x0012d3f8) line 77 + 13 bytes CMT_SDRDecrypt(_CMT_CONTROL * 0x037185e0, void * 0x00000000, const unsigned char * 0x039bd170, unsigned long 52, unsigned char * * 0x0012d478, unsigned long * 0x0012d450) line 173 + 13 bytes nsSecretDecoderRing::Decrypt(nsSecretDecoderRing * const 0x03707d60, unsigned char * 0x039bd170, int 52, unsigned char * * 0x0012d478, int * 0x0012d484) line 126 + 27 bytes nsSecretDecoderRing::DecryptString(nsSecretDecoderRing * const 0x03707d60, const char * 0x039bd1e0, char * * 0x0012d4c0) line 179 + 28 bytes DecryptString(const char * 0x039bd1e0, char * & 0x00000000) line 1001 + 26 bytes Wallet_Decrypt(const nsString & {"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECC/PR+FWBaZFBAgxdOuGOPkAfA=="}, nsString & {""}) line 1085 + 13 bytes Wallet_Decrypt2(const nsString & {"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECC/PR+FWBaZFBAgxdOuGOPkAfA=="}, nsString & {""}) line 1125 + 13 bytes si_Decrypt(const nsString & {"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECC/PR+FWBaZFBAgxdOuGOPkAfA=="}, nsString & {""}) line 627 + 13 bytes si_CompareEncryptedToCleartext(const nsString & {"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECC/PR+FWBaZFBAgxdOuGOPkAfA=="}, const nsString & {"steve"}) line 633 + 16 bytes si_GetURLAndUserForChangeForm(nsIPrompt * 0x03bbc290, const nsString & {"steve"}) line 1079 + 35 bytes si_RememberSignonData(nsIPrompt * 0x03bbc290, const char * 0x039bd030, nsVoidArray * 0x039bc950, nsIDOMWindow * 0x03a9fba4) line 1967 + 19 bytes SINGSIGN_RememberSignonData(nsIPrompt * 0x03bbc290, const char * 0x039bef70, nsVoidArray * 0x039bc950, nsIDOMWindow * 0x03a9fba4) line 2025 + 21 bytes WLLT_OnSubmit(nsIContent * 0x03b206fc, nsIDOMWindow * 0x03a9fba4) line 3604 + 35 bytes nsWalletlibService::Notify(nsWalletlibService * const 0x024c6938, nsIContent * 0x03b206fc, nsIDOMWindow * 0x03a9fba4, nsIURI * 0x039bbfa0) line 174 + 13 bytes nsFormFrame::OnSubmit(nsFormFrame * const 0x032f9e18, nsIPresContext * 0x03a9ff00, nsIFrame * 0x00000000) line 874 + 63 bytes nsHTMLFormElement::Submit(nsHTMLFormElement * const 0x03b206f0) line 303 + 23 bytes HTMLFormElementSubmit(JSContext * 0x03a9f9a0, JSObject * 0x032b4c20, unsigned int 0, long * 0x032d3f6c, long * 0x0012e6d0) line 408 + 15 bytes js_Invoke(JSContext * 0x03a9f9a0, unsigned int 0, unsigned int 0) line 716 + 23 bytes js_Interpret(JSContext * 0x03a9f9a0, long * 0x0012f118) line 2517 + 15 bytes js_Execute(JSContext * 0x03a9f9a0, JSObject * 0x031f23d0, JSScript * 0x039b7b50, JSFunction * 0x00000000, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012f118) line 887 + 13 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x03a9f9a0, JSObject * 0x031f23d0, JSPrincipals * 0x035ca430, const unsigned short * 0x0012f1d4, unsigned int 11, const char * 0x03c8c6b0, unsigned int 29, long * 0x0012f118) line 3100 + 27 bytes nsJSContext::EvaluateString(nsJSContext * const 0x03a9fb30, const basic_nsAReadableString<unsigned short> & {...}, void * 0x031f23d0, nsIPrincipal * 0x035ca42c, const char * 0x03c8c6b0, unsigned int 29, const char * 0x0030e5f8, basic_nsAWritableString<unsigned short> & {...}, int * 0x0012f1b8) line 538 + 68 bytes GlobalWindowImpl::RunTimeout(nsTimeoutImpl * 0x03c8ca70) line 3657 + 97 bytes nsGlobalWindow_RunTimeout(nsITimer * 0x03c8c650, void * 0x03c8ca70) line 3911 + 15 bytes nsTimer::Fire() line 194 + 17 bytes nsTimerManager::FireNextReadyTimer(nsTimerManager * const 0x01b6a1f0, unsigned int 0) line 117 nsAppShell::GetNativeEvent(nsAppShell * const 0x039de4e0, int & 1, void * & 0x01d71ff0 msg) line 161 nsXULWindow::ShowModal(nsXULWindow * const 0x0374c170) line 229 + 31 bytes nsWebShellWindow::ShowModal(nsWebShellWindow * const 0x0374c170) line 1101 nsContentTreeOwner::ShowModal(nsContentTreeOwner * const 0x03a3aeb0) line 184 GlobalWindowImpl::OpenInternal(GlobalWindowImpl * const 0x01b09260, JSContext * 0x01b09060, long * 0x03210ec0, unsigned int 3, int 0, nsIDOMWindow * * 0x0012fa60) line 2972 GlobalWindowImpl::Open(GlobalWindowImpl * const 0x01b09264, JSContext * 0x01b09060, long * 0x03210ec0, unsigned int 3, nsIDOMWindow * * 0x0012fa60) line 1903 nsPSMUIHandlerImpl::DisplayURI(nsPSMUIHandlerImpl * const 0x0371bfa0, int 500, int 450, int 1, const char * 0x03718870) line 104 XPTC_InvokeByIndex(nsISupports * 0x0371bfa0, unsigned int 3, unsigned int 4, nsXPTCVariant * 0x0371f7a0) line 139 EventHandler(PLEvent * 0x0371f810) line 508 + 41 bytes PL_HandleEvent(PLEvent * 0x0371f810) line 587 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00b584c0) line 528 + 9 bytes _md_EventReceiverProc(HWND__ * 0x0001061c, unsigned int 49484, unsigned int 0, long 11896000) line 1043 + 9 bytes USER32! 77e71268() 00b584c0()
OK, here's what's happening. The cartman change-password dialog is actually a webpage on a local server. So when you click on OK, you are submitting a form and that will trigger all the onsubmit handlers to fire. There is such a handler in wallet and that needs to decrypt a value. So it makes a call into the psm module. But I guess the changed-password hasn't taken effect yet (and wallet already forced a logout from the previous password) so the psm module puts up a prompt for a password. Note that bug 44044 (security-alert dialogs coming up at the wrong time) were also caused by forms being submitted to the local cartman server. David Drinan has indicated that he has a fix for that bug which he will check in momentarily. If his fix involves supressing the onsubmit handlers, it will also take care of this bug. But if his fix is more localized, then a local fix for this bug will need to be implemented as well.
If ddrinan's fix for bug 44044 is too localized, and there is no convenient place in cartman to fix the current bug, then here is a patch that can be applied to the onsubmit handler in wallet that will prevent this inappropriate master-password prompt for occuring: Index: wallet.cpp =================================================================== RCS file: /cvsroot/mozilla/extensions/wallet/src/wallet.cpp,v retrieving revision 1.257 diff -c -r1.257 wallet.cpp *** wallet.cpp 2000/08/29 04:29:01 1.257 --- wallet.cpp 2000/08/30 02:41:22 *************** *** 3467,3472 **** --- 3467,3477 ---- } (void)docURL->GetSpec(&URLName); wallet_GetHostFile(docURL, strippedURLNameAutoString); + if (strippedURLNameAutoString.EqualsWithConversion("127.0.0.1/get")) { + /* this is a submit to a cartman dialog -- don't capture it */ + nsCRT::free(URLName); + return; + } strippedURLName = strippedURLNameAutoString.ToNewCString(); /* get to the form elements */
marking nsbeta3+ and leaving priority as p3. This one we should fix if we have time, but not hold for it.
Whiteboard: [nsbeta3+]
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Worksforme. Verified fixed.
Status: RESOLVED → VERIFIED
Mass changing Security:Crypto to PSM
Component: Security: Crypto → Client Library
Product: Browser → PSM
Version: other → 2.1
Mass changing Security:Crypto to PSM
Product: PSM → Core
Version: psm2.1 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.