Bug 462392 - confirmation dialog for suspect URLs using basic authentication uses login name instead of hostname
confirmation dialog for suspect URLs using basic authentication uses login na...
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Christopher Aillon
Fedora Extras Quality Assurance
http://mybank:com@www.mozilla.com/en-US/
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-15 17:07 EDT by Jonathan Wakely
Modified: 2018-04-11 14:39 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-20 05:44:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 449303 None None None Never
Launchpad 271933 None None None Never

  None (edit)
Description Jonathan Wakely 2008-09-15 17:07:06 EDT
I originally reported this upstream as
https://bugzilla.mozilla.org/show_bug.cgi?id=449303
but it appears to be Fedora-specific.

There are screenshots attached to the upstream bug showing the behaviour I get.

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.1)
Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.1)
Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1

If you go to a URL with a basic auth username and password embedded in it, the
confirmation dialog asks if "mybank" is the site I want to visit, where
"mybank" is the username.  If I do want to go to my bank I will click yes, and
be taken to the phishing site.
I believe the dialog should say 'is "www.mozilla.com" the site you want to
visit?' instead, since that's the site the URL goes to.

Reproducible: Always

Steps to Reproduce:
1. click on http://mybank:com@www.mozilla.com/en-US/
2. click yes, thinking you're going to your bank account
Actual Results:  
dialog says:
You are about to log in to the site "www.mozilla.com" with the user name
"mybank", but the web site does not require authentication. This may be an
attempt to trick you.

Is "mybank" the site you want to visit?

Expected Results:  
dialog says:
You are about to log in to the site "www.mozilla.com" with the user name
"mybank", but the web site does not require authentication. This may be an
attempt to trick you.

Is "www.mozilla.com" the site you want to visit?
Comment 1 Jonathan Wakely 2008-09-17 08:56:12 EDT
The attachment I added to the upstream bug is https://bugzilla.mozilla.org/attachment.cgi?id=332813
Comment 2 Anders Kaseorg 2008-09-18 18:58:32 EDT
I also see this on Ubuntu intrepid amd64, but upstream says it isn’t their fault:

https://bugs.launchpad.net/fedora/+source/firefox/+bug/271933
https://bugzilla.mozilla.org/show_bug.cgi?id=455935
Comment 3 Jonathan Wakely 2008-12-20 20:28:06 EST
Still present in firefox-3.0.4-1.fc10.x86_64

(and in ubuntu's 3.0.3 apparently)
Comment 4 Matěj Cepl 2008-12-22 06:25:37 EST
If you download an upstream binary from http://www.mozilla.com/en-US/ are you able to reproduce this? If yes, then it is conclusively an upstream issue.
Comment 5 Jonathan Wakely 2008-12-22 18:39:24 EST
works correctly with upstream build
Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-GB; rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5
Comment 6 Jonathan Wakely 2008-12-22 18:48:56 EST
still wrong with latest fedora build
Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.0.5) Gecko/2008121622 Fedora/3.0.5-1.fc10 Firefox/3.0.5
Comment 7 Bug Zapper 2009-06-09 22:43:34 EDT
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 8 Bug Zapper 2009-11-18 03:23:37 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 9 Jonathan Wakely 2009-11-18 19:59:32 EST
The problem is no longer present with firefox-3.5.5-1.fc11.x86_64
Comment 10 Matěj Cepl 2009-11-20 05:44:40 EST
Thank you for letting us know.

Note You need to log in before you can comment on or make changes to this bug.