Issue 106732 - Security: Passwordcontainer URL matching broken
Summary: Security: Passwordcontainer URL matching broken
Status: CLOSED FIXED
Alias: None
Product: General
Classification: Code
Component: code (show other issues)
Version: OOO320m4
Hardware: All All
: P3 Trivial (vote)
Target Milestone: OOo 3.2
Assignee: thorsten.martens
QA Contact: issues@framework
URL:
Keywords:
Depends on:
Blocks: 99999
  Show dependency tree
 
Reported: 2009-11-09 13:03 UTC by kai.sommerfeld
Modified: 2017-05-20 10:28 UTC (History)
2 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description kai.sommerfeld 2009-11-09 13:03:39 UTC 
0) you need access to two http resources with different connection endpoints,
e.g. host1 and host2
1) Activate usage of OOo file dialogs (-> Tools/Options/OOo/General)
2) File->Open => Enter 'http://host1/path1' 
==> Password dialog appears => enter credentials => enter => file gets
loaded/webdav directory listing appears in file picker => close file/file dialog
3) File->Open => Enter 'http://host2/path2'
==> Bug: Password dialog appears, prefilles with credentials for host1! password
and username field should be empty.

===> This is a security issue, because OOo automatically sends credentials for
host1 to host2(!) before(!) displaying the login dialog with the "wrong"
credentials! User has no chance to prevent this.  

This worked okay in OOo 3.1.
Comment 1 kai.sommerfeld 2009-11-09 13:09:59 UTC 
CC'ed tm.
Comment 2 thorsten.martens 2009-11-09 14:03:13 UTC 
Target adjusted
Comment 3 kai.sommerfeld 2009-11-09 14:55:53 UTC 
Fixed in CWS fwk125.
Comment 4 kai.sommerfeld 2009-11-10 16:18:34 UTC 
tm: Please verify the fix.
Comment 5 thorsten.martens 2009-11-16 12:26:53 UTC 
checked and verified in cws fwk125 -> OK