Open Bug 512709 Opened 16 years ago Updated 11 months ago

firefox sends wrong http basic auth credentials

Categories

(Core :: Networking: HTTP, defect, P3)

Product:
Core
Component:
Networking: HTTP
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: guille.rodriguez, Unassigned)

References

Details

(Whiteboard: [necko-backlog])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 Under certain circumstances Firefox seems to be sending the wrong set of http basic auth credentials. The problem happens in this scenario: - First, the user successfully authenticates as userA/passA in order to access http://host/pathA, auth realm "realmA" - Then, the user successfully authenticates as userB/passB in order to access http://host/pathB, auth realm "realmB" - The document at http://host/pathB contains an html form that allows file uploads to pathB. If the user now tries to upload a file, Firefox will first try userA/passA (wrong), then upon receiving a 401 response from the server, Firefox will automatically retry the request, using userB/passB this time (right). - The operation finally succeeds but the file has been transferred twice over the network. Reproducible: Always Steps to Reproduce: 1. User tries to access http://host/pathA 2. Server responds with 401, identifies realm as "realmA" 3. Firefox prompts for user/password. User enters userA/passA 4. Firefox sends the correct credentials, server sends back the document 5. User now tries to access http://host/pathB, which is configured for a different protection realm 6. Firefox preemptively sends userA/passA. This is correct as of RFC 2617 7. Server responds with 401, identifies realm as "realmB" 8. Firefox prompts for user/password. User enters userB/passB 9. Firefox sends the correct credentials, server sends back the document 10. The document at http://host/pathB contains an html form with a 'file upload' field. The target action for the form is "pathB". User selects a file and hits Upload. Actual Results: 1. Firefox first tries to send the file by means of a POST request to http://host/pathB, but using the wrong credentials (userA/passA) 2. Server responds with 401, identifies realm as "realmB" 3. Firefox automatically retries with userB/passB 4. The operation completes successfully, but note that the file has been submitted TWICE over the network. Expected Results: 1. Firefox tries to send the file by means of a POST request to http://host/pathB, using the right credentials (userB/passB)
Component: Security → Networking: HTTP
Product: Firefox → Core
QA Contact: firefox → networking.http
Please use an addon such as LiveHTTPHeaders and post the HTTP headers from this session. It will make debugging this much easier.
I am copying the HTTP headers for the session described above. realmA = userA = passA = "1" realmB = userB = passB = "2" ========================================================== GET /pathA HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive HTTP/1.x 401 Unauthorized Server: My-httpd/1.0 Content-Type: text/html Content-Length: 298 WWW-Authenticate: Basic realm="1" ========================================================== GET /pathA HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Authorization: Basic MTox HTTP/1.x 200 OK Server: My-httpd/1.0 Content-Type: text/html Content-Length: 378 ========================================================== GET /favicon.ico HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Authorization: Basic MTox HTTP/1.x 404 Object not found Server: My-httpd/1.0 Content-Type: text/html Content-Length: 42 Connection: Close ========================================================== GET /pathB HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Authorization: Basic MTox HTTP/1.x 401 Unauthorized Server: My-httpd/1.0 Content-Type: text/html Content-Length: 298 WWW-Authenticate: Basic realm="2" ========================================================== GET /favicon.ico HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Authorization: Basic MTox HTTP/1.x 404 Object not found Server: My-httpd/1.0 Content-Type: text/html Content-Length: 42 Connection: Close ========================================================== GET /pathB HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Authorization: Basic Mjoy HTTP/1.x 200 OK Server: My-httpd/1.0 Content-Type: text/html Content-Length: 558 ========================================================== POST /pathB HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://localhost/pathB Authorization: Basic MTox Content-Type: multipart/form-data; boundary=---------------------------41184676334 Content-Length: 347 -----------------------------41184676334 Content-Disposition: form-data; name="file_name"; filename="text.txt" Content-Type: text/plain This is a test file for the uploading bug. -----------------------------41184676334 Content-Disposition: form-data; name="command:upload_config" Actualizar -----------------------------41184676334-- HTTP/1.x 401 Unauthorized Server: My-httpd/1.0 Content-Type: text/html Content-Length: 298 WWW-Authenticate: Basic realm="2" ========================================================== POST /pathB HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://localhost/pathB Authorization: Basic Mjoy Content-Type: multipart/form-data; boundary=---------------------------41184676334 Content-Length: 347 -----------------------------41184676334 Content-Disposition: form-data; name="file_name"; filename="text.txt" Content-Type: text/plain This is a test file for the uploading bug. -----------------------------41184676334 Content-Disposition: form-data; name="command:upload_config" Actualizar -----------------------------41184676334-- HTTP/1.x 200 OK Server: My-httpd/1.0 Content-Type: text/html Content-Length: 618
OK, thanks. Looks like a duplicate of Bug 137852 to me. Sadly this has been around for a long time.
Blocks: 61681
Not sure if this is exactly the same as bug 137852. Apparently both have to do with sending wrong auth credentials. However the issue I'm reporting has to do with auth credentials not being correctly associated with different URL subpaths, whereas bug 137852 doesn't seem to have anything to do with paths -- rather with caching. But I'm looking at this from a users perspective only. Maybe the two issues are related internally.
Whiteboard: [necko-backlog]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.