Issue 106732

Summary: Security: Passwordcontainer URL matching broken
Product: General Reporter: kai.sommerfeld
Component: codeAssignee: thorsten.martens
Status: CLOSED FIXED QA Contact: issues@framework <issues>
Severity: Trivial    
Priority: P3 CC: issues, thorsten.martens
Version: OOO320m4   
Target Milestone: OOo 3.2   
Hardware: All   
OS: All   
Issue Type: DEFECT Latest Confirmation in: ---
Developer Difficulty: ---
Issue Depends on:    
Issue Blocks: 99999    

Description kai.sommerfeld 2009-11-09 13:03:39 UTC 
0) you need access to two http resources with different connection endpoints,
e.g. host1 and host2
1) Activate usage of OOo file dialogs (-> Tools/Options/OOo/General)
2) File->Open => Enter 'http://host1/path1' 
==> Password dialog appears => enter credentials => enter => file gets
loaded/webdav directory listing appears in file picker => close file/file dialog
3) File->Open => Enter 'http://host2/path2'
==> Bug: Password dialog appears, prefilles with credentials for host1! password
and username field should be empty.

===> This is a security issue, because OOo automatically sends credentials for
host1 to host2(!) before(!) displaying the login dialog with the "wrong"
credentials! User has no chance to prevent this.  

This worked okay in OOo 3.1.
Comment 1 kai.sommerfeld 2009-11-09 13:09:59 UTC 
CC'ed tm.
Comment 2 thorsten.martens 2009-11-09 14:03:13 UTC 
Target adjusted
Comment 3 kai.sommerfeld 2009-11-09 14:55:53 UTC 
Fixed in CWS fwk125.
Comment 4 kai.sommerfeld 2009-11-10 16:18:34 UTC 
tm: Please verify the fix.
Comment 5 thorsten.martens 2009-11-16 12:26:53 UTC 
checked and verified in cws fwk125 -> OK