mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-09 19:35:51 +00:00
Bug 452781 - Allow specifying wildcard that matches all simple netbiosnames in network.automatic-ntlm-auth.trusted-uris, r=honzab
This commit is contained in:
parent
06d5399c24
commit
6dd85517c5
@ -70,6 +70,7 @@
|
||||
#include "prprf.h"
|
||||
#include "prlog.h"
|
||||
#include "prmem.h"
|
||||
#include "prnetdb.h"
|
||||
|
||||
//-----------------------------------------------------------------------------
|
||||
|
||||
@ -77,6 +78,7 @@ static const char kNegotiate[] = "Negotiate";
|
||||
static const char kNegotiateAuthTrustedURIs[] = "network.negotiate-auth.trusted-uris";
|
||||
static const char kNegotiateAuthDelegationURIs[] = "network.negotiate-auth.delegation-uris";
|
||||
static const char kNegotiateAuthAllowProxies[] = "network.negotiate-auth.allow-proxies";
|
||||
static const char kNegotiateAuthAllowNonFqdn[] = "network.negotiate-auth.allow-non-fqdn";
|
||||
static const char kNegotiateAuthSSPI[] = "network.auth.use-sspi";
|
||||
|
||||
#define kNegotiateLen (sizeof(kNegotiate)-1)
|
||||
@ -143,7 +145,8 @@ nsHttpNegotiateAuth::ChallengeReceived(nsIHttpAuthenticableChannel *authChannel,
|
||||
proxyInfo->GetHost(service);
|
||||
}
|
||||
else {
|
||||
bool allowed = TestPref(uri, kNegotiateAuthTrustedURIs);
|
||||
bool allowed = TestNonFqdn(uri) ||
|
||||
TestPref(uri, kNegotiateAuthTrustedURIs);
|
||||
if (!allowed) {
|
||||
LOG(("nsHttpNegotiateAuth::ChallengeReceived URI blocked\n"));
|
||||
return NS_ERROR_ABORT;
|
||||
@ -331,6 +334,23 @@ nsHttpNegotiateAuth::TestBoolPref(const char *pref)
|
||||
return val;
|
||||
}
|
||||
|
||||
bool
|
||||
nsHttpNegotiateAuth::TestNonFqdn(nsIURI *uri)
|
||||
{
|
||||
nsCAutoString host;
|
||||
PRNetAddr addr;
|
||||
|
||||
if (!TestBoolPref(kNegotiateAuthAllowNonFqdn))
|
||||
return false;
|
||||
|
||||
if (NS_FAILED(uri->GetAsciiHost(host)))
|
||||
return false;
|
||||
|
||||
// return true if host does not contain a dot and is not an ip address
|
||||
return !host.IsEmpty() && host.FindChar('.') == kNotFound &&
|
||||
PR_StringToNetAddr(host.BeginReading(), &addr) != PR_SUCCESS;
|
||||
}
|
||||
|
||||
bool
|
||||
nsHttpNegotiateAuth::TestPref(nsIURI *uri, const char *pref)
|
||||
{
|
||||
|
@ -58,6 +58,9 @@ private:
|
||||
// returns the value of the given boolean pref
|
||||
bool TestBoolPref(const char *pref);
|
||||
|
||||
// tests if the host part of an uri is fully qualified
|
||||
bool TestNonFqdn(nsIURI *uri);
|
||||
|
||||
// returns true if URI is accepted by the list of hosts in the pref
|
||||
bool TestPref(nsIURI *, const char *pref);
|
||||
|
||||
|
@ -1036,6 +1036,9 @@ pref("network.negotiate-auth.trusted-uris", "");
|
||||
// This list controls which URIs can support delegation.
|
||||
pref("network.negotiate-auth.delegation-uris", "");
|
||||
|
||||
// Do not allow SPNEGO by default when challenged by a local server.
|
||||
pref("network.negotiate-auth.allow-non-fqdn", false);
|
||||
|
||||
// Allow SPNEGO by default when challenged by a proxy server.
|
||||
pref("network.negotiate-auth.allow-proxies", true);
|
||||
|
||||
@ -1066,6 +1069,7 @@ pref("network.auth.force-generic-ntlm", false);
|
||||
// Window's domain logon. The trusted-uris pref follows the format of the
|
||||
// trusted-uris pref for negotiate authentication.
|
||||
pref("network.automatic-ntlm-auth.allow-proxies", true);
|
||||
pref("network.automatic-ntlm-auth.allow-non-fqdn", false);
|
||||
pref("network.automatic-ntlm-auth.trusted-uris", "");
|
||||
|
||||
// This preference controls whether or not the LM hash will be included in
|
||||
|
@ -45,6 +45,7 @@
|
||||
#include "nsIAuthModule.h"
|
||||
#include "nsCOMPtr.h"
|
||||
#include "plbase64.h"
|
||||
#include "prnetdb.h"
|
||||
|
||||
//-----------------------------------------------------------------------------
|
||||
|
||||
@ -58,6 +59,7 @@
|
||||
#include "nsISSLStatusProvider.h"
|
||||
|
||||
static const char kAllowProxies[] = "network.automatic-ntlm-auth.allow-proxies";
|
||||
static const char kAllowNonFqdn[] = "network.automatic-ntlm-auth.allow-non-fqdn";
|
||||
static const char kTrustedURIs[] = "network.automatic-ntlm-auth.trusted-uris";
|
||||
static const char kForceGeneric[] = "network.auth.force-generic-ntlm";
|
||||
|
||||
@ -121,6 +123,20 @@ MatchesBaseURI(const nsCSubstring &matchScheme,
|
||||
return false;
|
||||
}
|
||||
|
||||
static bool
|
||||
IsNonFqdn(nsIURI *uri)
|
||||
{
|
||||
nsCAutoString host;
|
||||
PRNetAddr addr;
|
||||
|
||||
if (NS_FAILED(uri->GetAsciiHost(host)))
|
||||
return false;
|
||||
|
||||
// return true if host does not contain a dot and is not an ip address
|
||||
return !host.IsEmpty() && host.FindChar('.') == kNotFound &&
|
||||
PR_StringToNetAddr(host.BeginReading(), &addr) != PR_SUCCESS;
|
||||
}
|
||||
|
||||
static bool
|
||||
TestPref(nsIURI *uri, const char *pref)
|
||||
{
|
||||
@ -210,6 +226,15 @@ CanUseDefaultCredentials(nsIHttpAuthenticableChannel *channel,
|
||||
|
||||
nsCOMPtr<nsIURI> uri;
|
||||
channel->GetURI(getter_AddRefs(uri));
|
||||
|
||||
bool allowNonFqdn;
|
||||
if (NS_FAILED(prefs->GetBoolPref(kAllowNonFqdn, &allowNonFqdn)))
|
||||
allowNonFqdn = false;
|
||||
if (allowNonFqdn && uri && IsNonFqdn(uri)) {
|
||||
LOG(("Host is non-fqdn, default credentials are allowed\n"));
|
||||
return true;
|
||||
}
|
||||
|
||||
bool isTrustedHost = (uri && TestPref(uri, kTrustedURIs));
|
||||
LOG(("Default credentials allowed for host: %d\n", isTrustedHost));
|
||||
return isTrustedHost;
|
||||
|
Loading…
Reference in New Issue
Block a user