Henrik Skupin [:whimboo][⌚️UTC+2] Reporter
	Description • 17 years ago

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b3pre) Gecko/2007122604 Minefield/3.0b3pre ID:2007122604

If you have a website which is protected by http auth and you have saved the username/access you can run in trouble when canceling the master password and http auth dialog multiple times. Firefox doesn't let you close the master password dialog and you have to kill the application.

I found this issue while playing around with bug 385239. Following steps are needed to reproduce this issue:

1. Set master password dialog
2. Open website: http://devel.hskupin.info/
3. Enter username: m and password: p to login
4. Save the password
5. Restart Firefox
6. Open the same website again
7. Hit cancel when master password dialog appears
8. Hit cancel again for http auth dialog

Now the master password dialog comes up multiple times which depends on how many images are referenced within the error document. Afterwards you cannot cancel the dialog and even the correct password is not accepted. After several unsuccessful tries the buttons don't react anymore and even Cmd+Q or Alt+F4 don't work. Sometimes the cpu load goes high to nearly 100% but currently I cannot reproduce it. The only way to close Firefox is to kill the process by using the task manager.

I'm able to reproduce it on OS X and WinXP. As Justin told on IRC last night I filed it as a new bug.

	Justin Dolske [:Dolske]
	Comment 1 • 17 years ago

Whatever is going wrong here seems to be some kind of interaction between the prompts for the master password and for the HTTP auth.

If I initially enter the MP (instead of canceling), I get a pile of HTTP auth prompts (instead of MP prompts). However, after clicking Cancel on all of them the browser is back to normal. Checking in gdb: the stack is ~670 frames deep while clicking Cancel (it doesn't drop with the number of canceled dialogs), and then the last dialog is canceled the stack drops to a much more normal 13 frame depth. So, other than there being too many prompts things are working fine.

[Side note: Are we showing the most recent dialog on top? Seems like the stack depth should be progressively decreasing. Maybe we're showing the oldest dialog on top, so until the last one finishes the stack can't collapse? Perhaps that's on purpose to avoid potential deadlocks?]

If I run the testcase as described in comment 0 (IE, I cancel the initial MP and HTTP auth prompts), I do get a hang, of sorts, after a varying number of clicks. I can type in the PW field and click the buttons, but the dialog seems to ignore them, clicking cancel won't dismiss the dialog. [We still seem to be running the event queue, and I can see the throbber running during all of this.]

Although the number of Cancel clicks to reach this state varies, what always happens is that the previous click was the first to actually give a result to the password manager... It logs a message about failing to decrypt a string (because it needed the MP), and throws an "User canceled Master Password entry" (which is normal). Clicking in the MP dialog remaining then fails as above.

When the password manager sees that the MP entry failed, it then displays the HTTP auth prompt (without a user/pass filled in). I never see that on the screen, but I can see from the attached stack that it happened...

Frame 97 started processing an event, an HTTP load that needs auth, and we end up prompting for the master password (PK11PasswordPrompt, frame 51)

Frame 43 then started processing an event, an HTTP load that needs auth, and although it's murky because of the JS involved, the call to nsPromptService::PromptUsernameAndPassword at frame 20 indicates it's the password manager doing the HTTP Auth prompt after the MP entry failed.

Frame 14 then starts processing an event, but now things are stuck as described above.

I'm not really sure what this all means, though, or how to fix it.

	Henrik Skupin [:whimboo][⌚️UTC+2] Reporter
	Comment 2 • 17 years ago

I forgot to mention that on WinXP you will prompted by the http auth dialog between the subsequent master password prompts. This dialogs I cannot see on OS X. What causes this different behavior? Even after you have canceled all dialogs the whole window starts to flicker with a high frequency on WinXP.

	Barbara Lawson
	Comment 3 • 16 years ago

I am using MacOS 10.4 and Firefox 3.  I have the problem of firefox freezing if I start foxfire and walk away from the computer.  It Firefox asks me for the master password repeatedly (which I have not entered) then stops responding.  I have to then force quit and restart firefox 3 staying at my computer to login to my master password right away.  Then firefox runs as it should.

	Henrik Skupin [:whimboo][⌚️UTC+2] Reporter
	Comment 4 • 16 years ago

Is there something possible for Firefox 3.1?

	Barbara Lawson
	Comment 5 • 16 years ago

I sure wish someone would fix this.  I am worried about my security in that the only fix I have come across is using no master password.  Which makes all of my password vulnerable.  I view this as a critical bug and, as I am not a programmer, I would not be able to come up with any fix.

bobbie

	Henrik Skupin [:whimboo][⌚️UTC+2] Reporter
	Comment 6 • 16 years ago

Today I was beaten by the same issue while leaving the Private Browsing mode. Doing that action you will get re-ask for your master password. Canceling this dialog and having some tabs open which require http auth (intranet wiki) completely hangs-up my session. I had to kill the process via the activity manager. There is no way to get rid of the mpw dialog.

	Matthew N. [:MattN]
	Comment 7 • 7 years ago

Hey Henrik, any chance you want to check if this is still a problem? This bug hasn't seen activity for a long time.

	Henrik Skupin [:whimboo][⌚️UTC+2] Reporter
	Comment 8 • 7 years ago

No, this seems to work fine nowadays (I don't have the original secured subdomain anymore). Once canceled the master password dialog the HTTP auth dialog comes up. It's not shown in parallel anymore, and both only once.