Bug 509588

Summary: Passwords in printer URIs are shown to normal users.
Product: [Fedora] Fedora Reporter: Bruno Wolff III <bruno>
Component: system-config-printerAssignee: Tim Waugh <twaugh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: jpopelka, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.1.13-3.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-09 03:33:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 516998    

Description Bruno Wolff III 2009-07-03 19:33:54 UTC 
Description of problem:
A normal user can use system-config-printer to see what password is used to connect to a network printer. This should be restricted to admin type access (root or policy kit equivalent).

Version-Release number of selected component (if applicable):
system-config-printer-1.1.8-3.fc11.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Set up a connection to a windows printer usign authentication
2. As a normal user run system-config-printer and look at the printer properties.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Tim Waugh 2009-07-06 11:00:56 UTC 
I don't see this here.  CUPS "sanitises" device URIs before handing them to system-config-printer, so if there is information leakage it is a CUPS bug.

Can you please explain how to reproduce what you're seeing, step-by-step?  Thanks.
Comment 2 Bruno Wolff III 2009-07-08 19:33:18 UTC 
I found I was doing something that's possibly off the beaten path.
An update last week broken DNS for some apps and I didn't notice the true problem right away. The first thing I noticed was that printing was broken. While trying to work on this I ended up selecting "Set authentication details now" instead of "Prompt user if authentication is required". Trying out the latter again results in a displayed uri without the password. But when I change the set up again using the former, the password does show up in the URI.
Is that enough information for you to duplicate the issue?
Comment 3 Tim Waugh 2009-07-10 15:51:21 UTC 
Sorry, I still can't reproduce it from this.  Please tell me which buttons to click, and in which order.. ;-)
Comment 4 Bruno Wolff III 2009-07-10 16:44:28 UTC 
First I go to System -> Admionistration -> Printing from the menu. (I have my system and normal menus combined on the panel.)
Then I double click on the icon for the one printer I have configured that is handled by a windows server using smb.
The I hit the higher of the two change buttons. This one is in line with the Device URI information.
Then I select the Set authentication now radio button.
Then I enter a my user name with 'ad/' as part of the username and password needed to access that printer.
Then I hit verify.
Then I hit apply.
Then I observe my password is shown.

While testing this I discovered that if I don't include 'ad/' the verify still works, but the password isn't shown. If I use 'ad\' then the password also isn't shown but verifies. I also don't need to hit the verify button, so it looks like this is testable even without an smb printer being available.

Example output from the device URI (with a bogus password):
smb://ad/bruno:fhthrthyhn.uwm.edu/bol225b_PS
Comment 5 Tim Waugh 2009-07-10 17:11:36 UTC 
Ah, OK, I see it now.  Thanks.

Fix committed upstream.  Work-around is to use the CUPS web interface (or lpadmin) to alter the device URI by changing "/" in the username section to "%2F".
Comment 6 Fedora Update System 2009-07-28 11:59:16 UTC 
system-config-printer-1.1.10-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/system-config-printer-1.1.10-1.fc11
Comment 7 Fedora Update System 2009-07-29 21:33:01 UTC 
system-config-printer-1.1.10-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108
Comment 8 Fedora Update System 2009-08-08 19:24:43 UTC 
system-config-printer-1.1.11-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108
Comment 9 Fedora Update System 2009-08-27 22:53:00 UTC 
system-config-printer-1.1.12-4.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108
Comment 10 Fedora Update System 2009-08-31 23:34:32 UTC 
system-config-printer-1.1.12-6.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108
Comment 11 Fedora Update System 2009-09-06 20:45:48 UTC 
system-config-printer-1.1.12-8.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108
Comment 12 Fedora Update System 2009-09-15 07:49:02 UTC 
system-config-printer-1.1.13-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108
Comment 13 Fedora Update System 2009-09-24 05:08:04 UTC 
system-config-printer-1.1.13-2.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108
Comment 14 Fedora Update System 2009-10-03 19:09:46 UTC 
system-config-printer-1.1.13-3.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108
Comment 15 Fedora Update System 2009-10-09 03:32:00 UTC 
system-config-printer-1.1.13-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.