Commit 6dd85517 authored by Richard van den Berg's avatar Richard van den Berg
Browse files

Bug 452781 - Allow specifying wildcard that matches all simple netbiosnames in...

Bug 452781 - Allow specifying wildcard that matches all simple netbiosnames in network.automatic-ntlm-auth.trusted-uris, r=honzab
parent 06d5399c
Loading
Loading
Loading
Loading
+21 −1
Original line number Diff line number Diff line
@@ -70,6 +70,7 @@
#include "prprf.h"
#include "prlog.h"
#include "prmem.h"
#include "prnetdb.h"

//-----------------------------------------------------------------------------

@@ -77,6 +78,7 @@ static const char kNegotiate[] = "Negotiate";
static const char kNegotiateAuthTrustedURIs[] = "network.negotiate-auth.trusted-uris";
static const char kNegotiateAuthDelegationURIs[] = "network.negotiate-auth.delegation-uris";
static const char kNegotiateAuthAllowProxies[] = "network.negotiate-auth.allow-proxies";
static const char kNegotiateAuthAllowNonFqdn[] = "network.negotiate-auth.allow-non-fqdn";
static const char kNegotiateAuthSSPI[] = "network.auth.use-sspi";

#define kNegotiateLen  (sizeof(kNegotiate)-1)
@@ -143,7 +145,8 @@ nsHttpNegotiateAuth::ChallengeReceived(nsIHttpAuthenticableChannel *authChannel,
        proxyInfo->GetHost(service);
    }
    else {
        bool allowed = TestPref(uri, kNegotiateAuthTrustedURIs);
        bool allowed = TestNonFqdn(uri) ||
                       TestPref(uri, kNegotiateAuthTrustedURIs);
        if (!allowed) {
            LOG(("nsHttpNegotiateAuth::ChallengeReceived URI blocked\n"));
            return NS_ERROR_ABORT;
@@ -331,6 +334,23 @@ nsHttpNegotiateAuth::TestBoolPref(const char *pref)
    return val;
}

bool
nsHttpNegotiateAuth::TestNonFqdn(nsIURI *uri)
{
    nsCAutoString host;
    PRNetAddr addr;

    if (!TestBoolPref(kNegotiateAuthAllowNonFqdn))
        return false;

    if (NS_FAILED(uri->GetAsciiHost(host)))
        return false;

    // return true if host does not contain a dot and is not an ip address
    return !host.IsEmpty() && host.FindChar('.') == kNotFound &&
           PR_StringToNetAddr(host.BeginReading(), &addr) != PR_SUCCESS;
}

bool
nsHttpNegotiateAuth::TestPref(nsIURI *uri, const char *pref)
{
+3 −0
Original line number Diff line number Diff line
@@ -58,6 +58,9 @@ private:
    // returns the value of the given boolean pref
    bool TestBoolPref(const char *pref);

    // tests if the host part of an uri is fully qualified
    bool TestNonFqdn(nsIURI *uri);

    // returns true if URI is accepted by the list of hosts in the pref
    bool TestPref(nsIURI *, const char *pref);

+4 −0
Original line number Diff line number Diff line
@@ -1036,6 +1036,9 @@ pref("network.negotiate-auth.trusted-uris", "");
// This list controls which URIs can support delegation.
pref("network.negotiate-auth.delegation-uris", "");

// Do not allow SPNEGO by default when challenged by a local server.
pref("network.negotiate-auth.allow-non-fqdn", false);

// Allow SPNEGO by default when challenged by a proxy server.
pref("network.negotiate-auth.allow-proxies", true);

@@ -1066,6 +1069,7 @@ pref("network.auth.force-generic-ntlm", false);
// Window's domain logon.  The trusted-uris pref follows the format of the
// trusted-uris pref for negotiate authentication.
pref("network.automatic-ntlm-auth.allow-proxies", true);
pref("network.automatic-ntlm-auth.allow-non-fqdn", false);
pref("network.automatic-ntlm-auth.trusted-uris", "");

// This preference controls whether or not the LM hash will be included in
+25 −0
Original line number Diff line number Diff line
@@ -45,6 +45,7 @@
#include "nsIAuthModule.h"
#include "nsCOMPtr.h"
#include "plbase64.h"
#include "prnetdb.h"

//-----------------------------------------------------------------------------

@@ -58,6 +59,7 @@
#include "nsISSLStatusProvider.h"

static const char kAllowProxies[] = "network.automatic-ntlm-auth.allow-proxies";
static const char kAllowNonFqdn[] = "network.automatic-ntlm-auth.allow-non-fqdn";
static const char kTrustedURIs[]  = "network.automatic-ntlm-auth.trusted-uris";
static const char kForceGeneric[] = "network.auth.force-generic-ntlm";

@@ -121,6 +123,20 @@ MatchesBaseURI(const nsCSubstring &matchScheme,
    return false;
}

static bool
IsNonFqdn(nsIURI *uri)
{
    nsCAutoString host;
    PRNetAddr addr;

    if (NS_FAILED(uri->GetAsciiHost(host)))
        return false;

    // return true if host does not contain a dot and is not an ip address
    return !host.IsEmpty() && host.FindChar('.') == kNotFound &&
           PR_StringToNetAddr(host.BeginReading(), &addr) != PR_SUCCESS;
}

static bool
TestPref(nsIURI *uri, const char *pref)
{
@@ -210,6 +226,15 @@ CanUseDefaultCredentials(nsIHttpAuthenticableChannel *channel,

    nsCOMPtr<nsIURI> uri;
    channel->GetURI(getter_AddRefs(uri));

    bool allowNonFqdn;
    if (NS_FAILED(prefs->GetBoolPref(kAllowNonFqdn, &allowNonFqdn)))
        allowNonFqdn = false;
    if (allowNonFqdn && uri && IsNonFqdn(uri)) {
        LOG(("Host is non-fqdn, default credentials are allowed\n"));
        return true;
    }

    bool isTrustedHost = (uri && TestPref(uri, kTrustedURIs));
    LOG(("Default credentials allowed for host: %d\n", isTrustedHost));
    return isTrustedHost;