Closed
Bug 455935
Opened 16 years ago
Closed 10 years ago
http://user:pass@site/ link asks 'Is "user" the site you want to visit?' [x86_64 Linux]
Categories
(Core :: Internationalization, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: andersk, Assigned: smontagu)
References
()
Details
(Keywords: 64bit, sec-low, Whiteboard: [sg:low])
Attachments
(1 file)
19.55 KB,
image/jpeg
|
Details |
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.2) Gecko/2008090211 Ubuntu/8.10 (intrepid) Firefox/3.0.1 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.2) Gecko/2008090211 Ubuntu/8.10 (intrepid) Firefox/3.0.1 Before letting you visit a potentially confusing URL with an embedded HTTP username:password, Firefox pops up a “helpful” warning dialog asking you to confirm the site you intended to visit. Unfortunately, it asks you to confirm that you intend to visit the _username_, not that you intend to visit the real site! Reproducible: Always Steps to Reproduce: 1. Visit http://www.google.com:search@members.tripod.com/ Actual Results: Confirm You are about to log in to the site "members.tripod.com" with the username "www%2Egoogle%2Ecom", but the website does not require authentication. This may be an attempt to trick you. Is "www%2Egoogle%2Ecom" the site you want to visit? [No] [Yes] Expected Results: Is "members.tripod.com" the site you want to visit? I’m using firefox 3.0.2+build3+nobinonly-0ubuntu2, xulrunner-1.9 1.9.0.2+build3+nobinonly-0ubuntu1 on Ubuntu intrepid amd64.
Comment 1•16 years ago
|
||
I can't reproduce this bug using: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.2) Gecko/2008091618 Firefox/3.0.2 (302build6) or Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3pre) Gecko/2008091704 GranParadiso/3.0.3pre I see the correct "Is members.tripod.com the site you want to visit" prompt.
Comment 2•16 years ago
|
||
wfm with FF3.01 on win32
Comment 3•16 years ago
|
||
marking wfm, please report this to Ubuntu
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Comment 4•16 years ago
|
||
There's something weirder going on here, because bug 449303 reported the same thing, also on a linux x86_64 platform. I am bringing this back to UNCONFIRMED - gavin suspects that there's weirdness in the x86_64 compiler they are using, which breaks the way we're doing our string substitutions. That probably means the problem is upstream with the distros, but I'd like to keep the bug open until we can find an answer. Anders, how would you feel about reporting this to the Ubuntu folks with reference to our suspicion, to see what they think?
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
Comment 5•16 years ago
|
||
I can reproduce this on x86-64 Ubuntu 8.04, with whatever 3.0.x they're shipping. I'd get the user-agent, but I'm running on remote X from home, so it's kind of painful.
Comment 6•16 years ago
|
||
Seeing the behavior described in comment 0 on Gentoo, Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.1) Gecko/2008081113 Gentoo Firefox/3.0.1. Seeing expected behavior on trunk, Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b1pre) Gecko/20080915020339 Minefield/3.1b1pre.
Comment 7•16 years ago
|
||
Could be related to firefox-on-xulrunner, or some other weirdness.
Reporter | ||
Comment 8•16 years ago
|
||
No problem. Reported to <https://bugs.launchpad.net/firefox/+bug/271933>.
Comment 9•16 years ago
|
||
Reproduced in a local debug build from cvs (without a separate xulrunner): Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.2pre) Gecko/2008081513 Minefield/3.0.2pre
Updated•16 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•16 years ago
|
Component: Phishing Protection → Security
QA Contact: phishing.protection → firefox
Whiteboard: [sg:low]
Comment 10•16 years ago
|
||
(I'm the reporter of bug 449303 - seems I'm not the only one seeing this now) Could it be locale related? My system uses LANG=en_GB
Updated•16 years ago
|
Summary: http://user:pass@site/ link asks ‘Is "user" the site you want to visit?’ → http://user:pass@site/ link asks ‘Is "user" the site you want to visit?’ [x86_64 Linux]
Comment 12•16 years ago
|
||
Can anyone point me to the source related to this bug? Preferably a URL to an online repo view. The firefox codebase is too large for me to start trawling randomly hoping to find it, but I'd like to take a look. Could this be due to relying on the order of evaluation of function arguments, which is not defined, and could differ depending on platform and optimisation level?
Comment 13•16 years ago
|
||
http://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/src/nsHttpChannel.cpp is the relevant code, search for the keyword "SuperfluousAuth".
Assignee: nobody → smontagu
Component: Security → Internationalization
Keywords: 64bit
Product: Firefox → Core
QA Contact: firefox → i18n
Hardware: x86 → x86_64
Version: unspecified → Trunk
Assignee | ||
Comment 14•14 years ago
|
||
Why was this moved to internationalization?
See Also: → https://launchpad.net/bugs/271933
Comment 15•14 years ago
|
||
my bet is that the stringbundle code is being bungled :).
Assignee | ||
Comment 16•14 years ago
|
||
https://bugzilla.redhat.com/show_bug.cgi?id=462392#c9 says: | The problem is no longer present with firefox-3.5.5-1.fc11.x86_64
Version: Trunk → 1.9.0 Branch
Updated•12 years ago
|
Summary: http://user:pass@site/ link asks ‘Is "user" the site you want to visit?’ [x86_64 Linux] → http://user:pass@site/ link asks 'Is "user" the site you want to visit?' [x86_64 Linux]
The codepath here was presumably:nsHttpChannelAuthProvider::CheckForSuperfluousAuth -> nsHttpChannelAuthProvider::ConfirmAuth -> nsStringBundle::FormatStringFromName or its older equivalent. It sounds like this can probably be WORKSFORME now, though.
Comment 18•10 years ago
|
||
WFM with the current FF33 in Ubuntu: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Status: NEW → RESOLVED
Closed: 16 years ago → 10 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•