form post method data shows in address bar history in url as get method

RESOLVED INVALID

Status

()

Firefox
General
--
major
RESOLVED INVALID
9 years ago
9 years ago

People

(Reporter: Keith Jackson, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low local])

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008111318 Ubuntu/8.10 (intrepid) Firefox/3.0.4
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008111318 Ubuntu/8.10 (intrepid) Firefox/3.0.4

I have a log in form that uses a POST method to submit user and password.  After the form is submitted, the url in the history shows the form fields and data on the url (get method).

I have other log in forms that do not show this symptom. I've compared the source of the two and can not see any difference that would cause this.

The forms are intranet applications but if you'd like I can send you the html so it can be replicated on your server.

Reproducible: Always

Steps to Reproduce:
1.fill out form
2. submit form
3.pull down url history 
Actual Results:  
http://zzz.example.com/cgi-bin/admin/login.pl?username=yyyy;passwd=xxxx;Login= Log In 

Shows in the history but the login.pl used POST method in the form

Expected Results:  
http://zzz.example.com/cgi-bin/admin/login.pl

I did not want to post actual url information but will supply it to someone working on the bug.

I listed this as a major bug since log in and password information as shown in clear text in the history and web logs.

Comment 1

9 years ago
Are you sure the page uses POST?  Can you upload a simple HTML example that demonstrates the bug?
Whiteboard: [sg:low local]
(Reporter)

Comment 2

9 years ago
The page source from the form in question.  It has always used a POST method.  This was tested in Firefox 2.x and it behaves properly there.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" /><link rel="icon" href="/favicon.ico" type="image/x-icon" />


<title>Web Applications Administration </title>

<script src="/elements/js/checkform.js" type="text/javascript" language="javascript" charset="iso-8859-1"></script>
<link rel="stylesheet" type="text/css" href="/elements/css/styles.css" />
<!--[if gte IE 6]>
<link rel="stylesheet" type="text/css" href="/elements/css/styles-IE-fix.css" />
<![endif]-->

<meta name="RIGHTS" content="Copyright Presstek, Inc. All Rights Reserved." />



</head>
<body><a id="top"></a><a name="top"></a>
<div id="container">
	<div id="header">
    <a id="logo" href="http://www.presstek.com"><img src="/elements/page/top_logo.gif" alt="Presstek, Inc. ... A Smarter Way To Print" style="border:0;" /></a>
    <ul id="utilities">
        <li><a href="http://www.presstek.com">Home</a></li>
    <li>•</li>

         <li><a href="http://www.presstek.com/about-contact.htm">Contact Us</a></li>
    <li>•</li>
         <li><a href="http://www.presstek.com/about-investor.htm">Investor Relations</a></li>
   <li>•</li>
         <li><a href="http://www.presstek.com/about-careers.htm">Careers</a></li>
    </ul>

    <div id="shopPresstek"><a href="https://shop.presstek.com/" target="_blank"><img src="/elements/page/shop_presstek_btn.jpg" width="108" height="27" alt="" border="0" /></a></div>	
    <div id="topNav">
       <a class="aboutUs" href="http://www.presstek.com/about-overview.htm"></a>
       <a class="solutions" href="http://www.presstek.com/solutions-overview.htm"></a>
       <a class="products" href="http://www.presstek.com/products-overview.htm"></a>
       <a class="service" href="http://www.presstek.com/service-and-support-overview.htm"></a>
       <a class="news" href="http://www.presstek.com/news-press-releases.htm"></a>
    </div>
</div>
	


<div id="interiorMain">
<table cellpadding="0" cellspacing="0" width="100%" height="100%" border="0">
	<tr>
		<td valign="top">
		<div id="leftNav">
		<div id="sectional"><img src="/elements/page/header_main.jpg" width="170" height="47" alt="" border="0" /></div>
		<div id="leftNavTable">
		<table cellpadding="0" cellspacing="0" width="100%" border="0">
		</table>
		</div>

		
		</div>
		</td>
		<td valign="top" id="content" width="100%">


<h1>Web Applications Administration</h1>
<div style="width:450px;">




<fieldset><legend class="bold">Please Log In</legend>

<form action="/cgi-bin/admin/login.pl" method="post">
<table border="0" cellspacing="0" cellpadding="2" style="margin-top:15px;">
<tr>
	<td><label for="Username">Username: </label></td>
	<td><input id="Username" type="text" name="username" size="35" maxlength="35" tabindex="1" /></td>
</tr>
<tr>
	<td><label for="Password">Password: </label></td>
	<td><input id="Password" type="password" name="passwd" size="35" maxlength="125" tabindex="2" /></td>
</tr>

<tr>
	<td>&nbsp;</td>
	<td><input id="loginbutton" type="submit" name="Login" value=" Log In " /></td>
</tr>
</table></form>
</p>
</fieldset>
</div>


				</td>
				<td width="150"></td>
			</tr>

		</table>
	</div>
	
	<div id="footer">
			<ul>
				<li><a href="http://www.presstek.com/sitemap.htm">Site Map</a></li>

				<li>|</li>
				<li><a href="http://www.presstek.com/legal.htm">Legal Notice</a></li>

				<li>|</li>
				<li><a href="http://www.presstek.com/privacy.htm">Privacy Policy</a></li>
			</ul>
		</div>
</div>

</body>
</html>

Comment 3

9 years ago
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20081203 Minefield/3.2a1pre

I loaded that page from my web server, typed in some stuff, and clicked submit.  Then I went to the address bar and searched for the stuff I typed in.  It didn't appear.  So WFM -- I can't reproduce the bug.
(Reporter)

Comment 4

9 years ago
Thanks for all your help!

I tried logging in with a bogus user name and password and it does not store that in the history.  The server log is showing the status as a 302 so its perhaps something in the server.  I will keep debugging data on my side and let you know when I solve it.
(Reporter)

Comment 5

9 years ago
Here is a test URL that demonstrates the problem/bug:

http://www.presstek.com/cgi-bin/login.pl

Sample user name and password is on that screen.

Thanks!
(Reporter)

Comment 6

9 years ago
(In reply to comment #5)
> Here is a test URL that demonstrates the problem/bug:
> 
> http://www.presstek.com/cgi-bin/login.pl
> 
> Sample user name and password is on that screen.
> 
> Thanks!

Sorry.. the CORRECT URL is:
http://www.presstek.eyemgstaging.com/cgi-bin/login.pl
(Reporter)

Comment 7

9 years ago
> 
> Sorry.. the CORRECT URL is:
> http://www.presstek.eyemgstaging.com/cgi-bin/login.pl

grrrr... One more time....  the CORRECT URL is: 
http://www.presstek.eyemgstaging.com/cgi-bin/test.pl
(Reporter)

Comment 8

9 years ago
I found the problem.  There was a bug in my code. There was a redirect that was expecting a URL for the redirection and the URL variable wasn't being set.  This caused the program to redirect back to itself with the GET variables set.  Since the first time logged me in, it redirected to the place where the program should go if I'm already logged in.

FF3 is obviously recording the redirected URL in its history where no other browsers do this.  I assume this is a feature?  I'm not sure if that is the intended behavior or not.

Thanks for your help!

Comment 9

9 years ago
There are some situations where it's more useful to show the redirecting URL and some situations where it's more useful to show the target of the redirect.  I think it's reasonable to show both, but if I had to pick one, I think I'd go with the target.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.