Issue 106732 - Security: Passwordcontainer URL matching broken
Summary: Security: Passwordcontainer URL matching broken
Alias: None
Product: General
Classification: Code
Component: code (show other issues)
Version: OOO320m4
Hardware: All All
: P3 Trivial (vote)
Target Milestone: OOo 3.2
Assignee: thorsten.martens
QA Contact: issues@framework
Depends on:
Blocks: 99999
  Show dependency tree
Reported: 2009-11-09 13:03 UTC by kai.sommerfeld
Modified: 2017-05-20 10:28 UTC (History)
2 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---


Note You need to log in before you can comment on or make changes to this issue.
Description kai.sommerfeld 2009-11-09 13:03:39 UTC
0) you need access to two http resources with different connection endpoints,
e.g. host1 and host2
1) Activate usage of OOo file dialogs (-> Tools/Options/OOo/General)
2) File->Open => Enter 'http://host1/path1' 
==> Password dialog appears => enter credentials => enter => file gets
loaded/webdav directory listing appears in file picker => close file/file dialog
3) File->Open => Enter 'http://host2/path2'
==> Bug: Password dialog appears, prefilles with credentials for host1! password
and username field should be empty.

===> This is a security issue, because OOo automatically sends credentials for
host1 to host2(!) before(!) displaying the login dialog with the "wrong"
credentials! User has no chance to prevent this.  

This worked okay in OOo 3.1.
Comment 1 kai.sommerfeld 2009-11-09 13:09:59 UTC
CC'ed tm.
Comment 2 thorsten.martens 2009-11-09 14:03:13 UTC
Target adjusted
Comment 3 kai.sommerfeld 2009-11-09 14:55:53 UTC
Fixed in CWS fwk125.
Comment 4 kai.sommerfeld 2009-11-10 16:18:34 UTC
tm: Please verify the fix.
Comment 5 thorsten.martens 2009-11-16 12:26:53 UTC
checked and verified in cws fwk125 -> OK