Closed
Bug 449698
Opened 17 years ago
Closed 17 years ago
login manager shouldn't allow nulls in username or password
Categories
(Toolkit :: Password Manager, defect)
Toolkit
Password Manager
Tracking
()
RESOLVED
FIXED
mozilla1.9.1a2
People
(Reporter: Dolske, Assigned: Dolske)
References
Details
Attachments
(1 file)
|
3.15 KB,
patch
|
Gavin
:
review+
|
Details | Diff | Splinter Review |
Bug 394610 added a number of restrictions to the format of the nsILoginInfo fields used by login manager. It *did* allow nulls in the username and password for a login -- there were no security implications in allowing this, testing seemed to work, and so I didn't block it.
Turns out my testing (and testcase) was flawed. The interface to nsISDR EncryptString / DecryptString is just |string|, which is a normal |char *| (unlike AString, which is a more robust buffer+length type). So, anything past the first null in the string gets truncated.
We should just go ahead and filter (block) nulls in these fields as we do for other things. Thanks to Paul for hitting this while working on bug 288040. :)
|
Assignee | |
Comment 1•17 years ago
|
||
Attachment #333023 -
Flags: review?(gavin.sharp)
|
|
Assignee | |
Updated•17 years ago
|
Target Milestone: --- → mozilla1.9.1a2
|
||
Updated•17 years ago
|
Attachment #333023 -
Flags: review?(gavin.sharp) → review+
|
|
Assignee | |
Comment 2•17 years ago
|
||
Pushed changeset cdeb3b9d9b0f.
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•