Bug 452781 - Allow specifying wildcard that matches all simple netbiosnames in network.automatic-ntlm-auth.trusted-uris, r=honzab

2024-10-09 19:35:51 +00:00 · 2012-02-17 16:24:31 +01:00 · 2012-02-17 16:24:31 +01:00 · 6dd85517c5
commit 6dd85517c5
parent 06d5399c24
4 changed files with 53 additions and 1 deletions
--- a/extensions/auth/nsHttpNegotiateAuth.cpp
+++ b/extensions/auth/nsHttpNegotiateAuth.cpp
@ -70,6 +70,7 @@
 #include "prprf.h"
 #include "prlog.h"
 #include "prmem.h"
+#include "prnetdb.h"

 //-----------------------------------------------------------------------------

@ -77,6 +78,7 @@ static const char kNegotiate[] = "Negotiate";
 static const char kNegotiateAuthTrustedURIs[] = "network.negotiate-auth.trusted-uris";
 static const char kNegotiateAuthDelegationURIs[] = "network.negotiate-auth.delegation-uris";
 static const char kNegotiateAuthAllowProxies[] = "network.negotiate-auth.allow-proxies";
+static const char kNegotiateAuthAllowNonFqdn[] = "network.negotiate-auth.allow-non-fqdn";
 static const char kNegotiateAuthSSPI[] = "network.auth.use-sspi";

 #define kNegotiateLen  (sizeof(kNegotiate)-1)
@ -143,7 +145,8 @@ nsHttpNegotiateAuth::ChallengeReceived(nsIHttpAuthenticableChannel *authChannel,
        proxyInfo->GetHost(service);
    }
    else {
-        bool allowed = TestPref(uri, kNegotiateAuthTrustedURIs);
+        bool allowed = TestNonFqdn(uri) ||
+                       TestPref(uri, kNegotiateAuthTrustedURIs);
        if (!allowed) {
            LOG(("nsHttpNegotiateAuth::ChallengeReceived URI blocked\n"));
            return NS_ERROR_ABORT;
@ -331,6 +334,23 @@ nsHttpNegotiateAuth::TestBoolPref(const char *pref)
    return val;
 }

+bool
+nsHttpNegotiateAuth::TestNonFqdn(nsIURI *uri)
+{
+    nsCAutoString host;
+    PRNetAddr addr;
+
+    if (!TestBoolPref(kNegotiateAuthAllowNonFqdn))
+        return false;
+
+    if (NS_FAILED(uri->GetAsciiHost(host)))
+        return false;
+
+    // return true if host does not contain a dot and is not an ip address
+    return !host.IsEmpty() && host.FindChar('.') == kNotFound &&
+           PR_StringToNetAddr(host.BeginReading(), &addr) != PR_SUCCESS;
+}
+
 bool
 nsHttpNegotiateAuth::TestPref(nsIURI *uri, const char *pref)
 {
--- a/extensions/auth/nsHttpNegotiateAuth.h
+++ b/extensions/auth/nsHttpNegotiateAuth.h
@ -58,6 +58,9 @@ private:
    // returns the value of the given boolean pref
    bool TestBoolPref(const char *pref);

+    // tests if the host part of an uri is fully qualified
+    bool TestNonFqdn(nsIURI *uri);
+
    // returns true if URI is accepted by the list of hosts in the pref
    bool TestPref(nsIURI *, const char *pref);

--- a/modules/libpref/src/init/all.js
+++ b/modules/libpref/src/init/all.js
@ -1036,6 +1036,9 @@ pref("network.negotiate-auth.trusted-uris", "");
 // This list controls which URIs can support delegation.
 pref("network.negotiate-auth.delegation-uris", "");

+// Do not allow SPNEGO by default when challenged by a local server.
+pref("network.negotiate-auth.allow-non-fqdn", false);
+
 // Allow SPNEGO by default when challenged by a proxy server.
 pref("network.negotiate-auth.allow-proxies", true);

@ -1066,6 +1069,7 @@ pref("network.auth.force-generic-ntlm", false);
 // Window's domain logon.  The trusted-uris pref follows the format of the
 // trusted-uris pref for negotiate authentication.
 pref("network.automatic-ntlm-auth.allow-proxies", true);
+pref("network.automatic-ntlm-auth.allow-non-fqdn", false);
 pref("network.automatic-ntlm-auth.trusted-uris", "");

 // This preference controls whether or not the LM hash will be included in
--- a/netwerk/protocol/http/nsHttpNTLMAuth.cpp
+++ b/netwerk/protocol/http/nsHttpNTLMAuth.cpp
@ -45,6 +45,7 @@
 #include "nsIAuthModule.h"
 #include "nsCOMPtr.h"
 #include "plbase64.h"
+#include "prnetdb.h"

 //-----------------------------------------------------------------------------

@ -58,6 +59,7 @@
 #include "nsISSLStatusProvider.h"

 static const char kAllowProxies[] = "network.automatic-ntlm-auth.allow-proxies";
+static const char kAllowNonFqdn[] = "network.automatic-ntlm-auth.allow-non-fqdn";
 static const char kTrustedURIs[]  = "network.automatic-ntlm-auth.trusted-uris";
 static const char kForceGeneric[] = "network.auth.force-generic-ntlm";

@ -121,6 +123,20 @@ MatchesBaseURI(const nsCSubstring &matchScheme,
    return false;
 }

+static bool
+IsNonFqdn(nsIURI *uri)
+{
+    nsCAutoString host;
+    PRNetAddr addr;
+
+    if (NS_FAILED(uri->GetAsciiHost(host)))
+        return false;
+
+    // return true if host does not contain a dot and is not an ip address
+    return !host.IsEmpty() && host.FindChar('.') == kNotFound &&
+           PR_StringToNetAddr(host.BeginReading(), &addr) != PR_SUCCESS;
+}
+
 static bool
 TestPref(nsIURI *uri, const char *pref)
 {
@ -210,6 +226,15 @@ CanUseDefaultCredentials(nsIHttpAuthenticableChannel *channel,

    nsCOMPtr<nsIURI> uri;
    channel->GetURI(getter_AddRefs(uri));
+
+    bool allowNonFqdn;
+    if (NS_FAILED(prefs->GetBoolPref(kAllowNonFqdn, &allowNonFqdn)))
+        allowNonFqdn = false;
+    if (allowNonFqdn && uri && IsNonFqdn(uri)) {
+        LOG(("Host is non-fqdn, default credentials are allowed\n"));
+        return true;
+    }
+
    bool isTrustedHost = (uri && TestPref(uri, kTrustedURIs));
    LOG(("Default credentials allowed for host: %d\n", isTrustedHost));
    return isTrustedHost;