Bug 1030426 - network.negotiate-auth.allow-insecure-ntlm-v1-https allows sending NTLMv1 credentials in plain to HTTP proxies. r=mcmanus, a=sledru
authorHonza Bambas <honzab.moz@firemni.cz>
Thu, 26 Jun 2014 15:08:35 +0200
changeset 208712 5c24299803230be6514947e980a5cd9c36773628
parent 208711 4312d0a4e00c30cffc9d506f2d5e4c4c6a2c7d9f
child 208713 d08d6c52e2f4f0521dc8593406441be3bbd8de46
push id494
push userraliiev@mozilla.com
push dateMon, 25 Aug 2014 18:42:16 +0000
treeherdermozilla-release@a3cc3e46b571 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmcmanus, sledru
bugs1030426
milestone32.0a2
Bug 1030426 - network.negotiate-auth.allow-insecure-ntlm-v1-https allows sending NTLMv1 credentials in plain to HTTP proxies. r=mcmanus, a=sledru
netwerk/protocol/http/nsHttpNTLMAuth.cpp
--- a/netwerk/protocol/http/nsHttpNTLMAuth.cpp
+++ b/netwerk/protocol/http/nsHttpNTLMAuth.cpp
@@ -338,17 +338,20 @@ nsHttpNTLMAuth::ChallengeReceived(nsIHtt
                 if (!*sessionState)
                     return NS_ERROR_OUT_OF_MEMORY;
                 NS_ADDREF(*sessionState);
             }
 
             // Use our internal NTLM implementation. Note, this is less secure,
             // see bug 520607 for details.
 
-            if (AllowGenericNTLM() || AllowGenericNTLMforHTTPS(channel)) {
+            // For now with default preference settings (i.e. allow-insecure-ntlm-v1-https = true
+            // and allow-insecure-ntlm-v1 = false) we don't allow authentication to any proxy,
+            // either http or https.  This will be fixed in a followup bug.
+            if (AllowGenericNTLM() || (!isProxyAuth && AllowGenericNTLMforHTTPS(channel))) {
                 LOG(("Trying to fall back on internal ntlm auth.\n"));
                 module = do_CreateInstance(NS_AUTH_MODULE_CONTRACTID_PREFIX "ntlm");
             }
 	
             mUseNative = false;
 
             // Prompt user for domain, username, and password.
             *identityInvalid = true;