Closed Bug 455935 Opened 16 years ago Closed 10 years ago

http://user:pass@site/ link asks 'Is "user" the site you want to visit?' [x86_64 Linux]

Categories

(Core :: Internationalization, defect)

Product:
Core
Component:
Internationalization
Version:
1.9.0 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: andersk, Assigned: smontagu)

References

(
URL
)

Details

(Keywords: 64bit, sec-low, Whiteboard: [sg:low])

Attachments

(1 file)

Screenshot from FF3.01
19.55 KB, image/jpeg
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.2) Gecko/2008090211 Ubuntu/8.10 (intrepid) Firefox/3.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.2) Gecko/2008090211 Ubuntu/8.10 (intrepid) Firefox/3.0.1

Before letting you visit a potentially confusing URL with an embedded HTTP username:password, Firefox pops up a “helpful” warning dialog asking you to confirm the site you intended to visit.  Unfortunately, it asks you to confirm that you intend to visit the _username_, not that you intend to visit the real site!

Reproducible: Always

Steps to Reproduce:
1. Visit http://www.google.com:search@members.tripod.com/
Actual Results:  
Confirm

You are about to log in to the site "members.tripod.com" with the username "www%2Egoogle%2Ecom", but the website does not require authentication. This may be an attempt to trick you.

Is "www%2Egoogle%2Ecom" the site you want to visit?

[No] [Yes]

Expected Results:  
Is "members.tripod.com" the site you want to visit?

I’m using firefox 3.0.2+build3+nobinonly-0ubuntu2, xulrunner-1.9 1.9.0.2+build3+nobinonly-0ubuntu1 on Ubuntu intrepid amd64.
I can't reproduce this bug using:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.2) Gecko/2008091618 Firefox/3.0.2
(302build6)
or
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3pre) Gecko/2008091704 GranParadiso/3.0.3pre

I see the correct "Is members.tripod.com the site you want to visit" prompt.
Attached image Screenshot from FF3.01 
wfm with FF3.01 on win32
marking wfm, please report this to Ubuntu
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
There's something weirder going on here, because bug 449303 reported the same thing, also on a linux x86_64 platform.

I am bringing this back to UNCONFIRMED - gavin suspects that there's weirdness in the x86_64 compiler they are using, which breaks the way we're doing our string substitutions.  That probably means the problem is upstream with the distros, but I'd like to keep the bug open until we can find an answer.

Anders, how would you feel about reporting this to the Ubuntu folks with reference to our suspicion, to see what they think?
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
I can reproduce this on x86-64 Ubuntu 8.04, with whatever 3.0.x they're shipping. I'd get the user-agent, but I'm running on remote X from home, so it's kind of painful.
Seeing the behavior described in comment 0 on Gentoo, Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.1) Gecko/2008081113 Gentoo Firefox/3.0.1.

Seeing expected behavior on trunk, Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b1pre) Gecko/20080915020339 Minefield/3.1b1pre.
Could be related to firefox-on-xulrunner, or some other weirdness.
No problem.  Reported to <https://bugs.launchpad.net/firefox/+bug/271933>.
Reproduced in a local debug build from cvs (without a separate xulrunner):
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.2pre) Gecko/2008081513 Minefield/3.0.2pre
Status: UNCONFIRMED → NEW
Ever confirmed: true
Component: Phishing Protection → Security
QA Contact: phishing.protection → firefox
Whiteboard: [sg:low]
(I'm the reporter of bug 449303 - seems I'm not the only one seeing this now)

Could it be locale related? My system uses LANG=en_GB
Summary: http://user:pass@site/ link asks ‘Is "user" the site you want to visit?’ → http://user:pass@site/ link asks ‘Is "user" the site you want to visit?’ [x86_64 Linux]
Can anyone point me to the source related to this bug?  Preferably a URL to an online repo view.  The firefox codebase is too large for me to start trawling randomly hoping to find it, but I'd like to take a look.

Could this be due to relying on the order of evaluation of function arguments, which is not defined, and could differ depending on platform and optimisation level?
http://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/src/nsHttpChannel.cpp is the relevant code, search for the keyword "SuperfluousAuth".
Assignee: nobody → smontagu
Component: Security → Internationalization
Keywords: 64bit
Product: Firefox → Core
QA Contact: firefox → i18n
Hardware: x86 → x86_64
Version: unspecified → Trunk
Why was this moved to internationalization?
my bet is that the stringbundle code is being bungled :).
https://bugzilla.redhat.com/show_bug.cgi?id=462392#c9 says:
| The problem is no longer present with firefox-3.5.5-1.fc11.x86_64
Version: Trunk → 1.9.0 Branch
Summary: http://user:pass@site/ link asks ‘Is "user" the site you want to visit?’ [x86_64 Linux] → http://user:pass@site/ link asks 'Is "user" the site you want to visit?' [x86_64 Linux]
The codepath here was presumably:nsHttpChannelAuthProvider::CheckForSuperfluousAuth -> nsHttpChannelAuthProvider::ConfirmAuth -> nsStringBundle::FormatStringFromName or its older equivalent.

It sounds like this can probably be WORKSFORME now, though.
WFM with the current FF33 in Ubuntu:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Status: NEW → RESOLVED
Closed: 16 years ago10 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: