Comments (12)
This is fixed and we have tests verifying the behaviour as of #3339.
from collect.
Comment by mitchellsundt
Thursday Jul 09, 2015 at 18:07 GMT
Fixed with this patch. I think this should be classified as an enhancement.
Reported by tomsmyth
on 2011-07-28 16:02:59
- _Attachment: [diff.diff](https://storage.googleapis.com/google-code-attachments/opendatakit/issue-281/comment-1/diff.diff)_
from collect.
Comment by mitchellsundt
Thursday Jul 09, 2015 at 18:07 GMT
Reported by wbrunette
on 2011-07-29 00:27:18
- Labels added: Type-Enhancement, Collect
- Labels removed: Type-Defect
from collect.
Comment by mitchellsundt
Thursday Jul 09, 2015 at 18:07 GMT
"The patch should probably be changed to do preemptive auth only if the target host
port is 8443 or 443; what we really want to do is only send credentials if the intended
scheme is https, but I don't know how to do that."
-- mitch
Reported by yanokwa
on 2011-07-29 20:46:37
from collect.
Comment by mitchellsundt
Thursday Jul 09, 2015 at 18:07 GMT
This issue was closed by revision 9b24ad8c72e0.
Reported by carlhartung
on 2011-09-27 21:58:26
- Status changed:
Fixed
from collect.
Comment by mitchellsundt
Thursday Jul 09, 2015 at 18:07 GMT
I realized I attached the wrong patch to this. The proper one is attached to this message.
It includes a new function in WebUtils.java.
I'm not quite sure I understand Mitch's comment above. If I did perhaps I could suggest
something.
Reported by tomsmyth
on 2011-10-20 15:12:54
- _Attachment: [preemptive-auth.patch](https://storage.googleapis.com/google-code-attachments/opendatakit/issue-281/comment-5/preemptive-auth.patch)_
from collect.
Comment by mitchellsundt
Thursday Jul 09, 2015 at 18:07 GMT
The issue with your patch is that you don't check that the communications channel is
running within an HTTPS pipe before proactively attaching the username and password.
Basic auth credentials are sent in plaintext (base64 encoded). By not first ensuring
you are operating within an HTTPS pipe, you have ended up broadcasting your username
and password, in plaintext, to the world.
Not sure what fix carl and yaw implemented, but a simple check to mitigate this erroneous
wide disclosure of username and password is to first ensure that the server is being
contacted on port 443 or 8443; those are, by convention, the https and non-privileged
alternate https ports for a webserver.
Reported by mitchellsundt
on 2011-10-20 17:12:53
from collect.
Comment by mitchellsundt
Thursday Jul 09, 2015 at 18:07 GMT
I understand what you're saying now. I'll take a crack at this and get back to y'all.
Reported by tomsmyth
on 2011-10-20 18:42:57
from collect.
Comment by mitchellsundt
Thursday Jul 09, 2015 at 18:07 GMT
Reported by yanokwa
on 2011-10-20 20:47:36
- Status changed:
Accepted
from collect.
Comment by mitchellsundt
Thursday Jul 09, 2015 at 18:07 GMT
I think a change accomplishing this was checked into the code base and is already in
the mainline.
Reported by mitchellsundt
on 2011-10-20 20:54:39
from collect.
Comment by mitchellsundt
Thursday Jul 09, 2015 at 18:07 GMT
I believe that was on a different but related issue. I have checked the trunk and this
issue still exists. My patch fixes it, but your earlier comment still applies and I
will address it when I get time.
Reported by tomsmyth
on 2011-10-21 02:12:44
from collect.
Comment by mitchellsundt
Thursday Jul 09, 2015 at 18:07 GMT
Reported by yanokwa
on 2012-05-25 20:10:08
from collect.
Related Issues (20)
- Crash on the Sort by button in the Delete Form
- "Finalize all drafts" in Sent
- Adding menu icons HOT 10
- Add Buddhist calendar
- Remove deprecated Target SDK config
- Clicking back button or outside the error dialog area in FormUriActivity does not closes the activity
- Reduce APK size HOT 1
- Fix problems with `NotificationDrawer#clickAction`
- Calculations that return invalid data format should be ignored
- The icon in the toolbar in full screen dialogs is not vertically aligned with the title
- Keyboard is missing in Identify User form HOT 1
- Collect is not returning the answer in some Widgets
- Styling questions with an asterisk
- Rotating the device when an overflow menu is opened changes theme in some parts of the app if there are opposite themes in the app and in the device HOT 2
- Fix `killAndReopenApp` implementation
- Missing values in audit logs of track changes forms - only values of the first question are present
- Changing project display settings doubles another project on the list of projects
- No banner about GD project after upgrading to the current version
- Error margin is still visible after turning on the recording
- Multi clicking Delete button in the audio widget and deleting the recorded sound twice crashes the app
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from collect.