Closed Bug 186695 Opened 22 years ago Closed 20 years ago

[FIX]FTP/HTTP password printed as part of URL

Categories

(Core :: Printing: Output, defect, P1)

Product:
Core
Component:
Printing: Output
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta2

People

(Reporter: mozilla, Assigned: bzbarsky)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Simple fix
(deleted), patch
jst
: review+
darin.moz
: superreview+
Details | Diff | Splinter Review
When a password-protected FTP or HTTP resource is accessed via ftp://user:password@host/ method, and then printed, the password is printed as part of the URL. This creates a security risk, as the user does not notice that his or her password is printed along with the page, and may share or submit the hardcopy (with the password) to an untrusted third party. Steps to reproduce: 1. Go to a ftp://user:password@host/dir/file URL. 2. Print the file (or do a print preview). 3. See the password in the printed page. Expected results: Password is masked or removed entirely. Actual results: Secret password revealed in printed material.
Bug 88771 and bug 130327 are related.
nsbeta1+ -> jkeiser
Assignee: rods → jkeiser
Keywords: nsbeta1+
Priority: -- → P1
Target Milestone: --- → mozilla1.4alpha
Can someone point me to the code which deals with putting the URL on the printed page?
Confirming in 1.4.1/1.5 release versions / win32.
Blocks: 223270
Blocks: 233340
No longer blocks: 223270
This bug seems still be present in Mozilla Firefox 1.0 Win
*** Bug 278513 has been marked as a duplicate of this bug. ***
Blocks: 232560
Bug 280438 is similar and is blocking aviary1.1
Flags: blocking1.8b?
Flags: blocking-aviary1.1?
(In reply to comment #6) > http://lxr.mozilla.org/mozilla/source/layout/printing/nsPrintEngine.cpp#2077 Alternatively, we can fix two implementations of them. Are ftp and http(s) the only schemes we have to worry about?
too late for 1.8b1, but we should get this for 1.8b2.
Flags: blocking1.8b?
Flags: blocking1.8b2+
Flags: blocking1.8b-
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1+
it seems that there are 3 situations. if u put the username and password in the address bar, the username and password shows up at the top of the printed page. if u only put the username in the address bar and fill in the alert box with ur password, only ur username appears on the printed page. if u put neither in the address bar and fill in the alert box with both, neither appear at the top of the printed page. so its not putting ur username and password at the top.. per se. its just putting whatever u put in the address bar. temporary fix, dont put ur username and password in the address bar. just fill in the alert box.
Attached patch Simple fix (deleted) — Splinter Review
Assignee: john → bzbarsky
Status: NEW → ASSIGNED
Attachment #177401 - Flags: superreview?(darin)
Attachment #177401 - Flags: review?(jst)
Summary: FTP/HTTP password printed as part of URL → [FIX]FTP/HTTP password printed as part of URL
Target Milestone: mozilla1.4alpha → mozilla1.8beta2
Attachment #177401 - Flags: superreview?(darin) → superreview+
Comment on attachment 177401 [details] [diff] [review] Simple fix r=jst
Attachment #177401 - Flags: review?(jst) → review+
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
*** Bug 292876 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: