HTTP Authentication credentials are printed in the footer when specified in the URI
Reported by
alexmcc0...@gmail.com,
Jun 8 2016
|
||
Issue descriptionThis template is ONLY for reporting privacy issues. Please use a different template for other types of bug reports. Please see http://www.chromium.org/Home/chromium-privacy for further information. PRIVACY ISSUE Chrome allows HTTP Authentication username and passwords to be supplied in the URI. For example, http://username:password@example.com. If the server accepts these credentials (or ignores them), then the page will load and the URI will be displayed in the address bar as example.com, without the credentials. When a user goes to print that page, if the "Headers and Footers" option is checked, the full URI, including credentials, is printed in the footer. Note: This appears to only happen when the credentials are supplied in the URI. A user who uses the browser to input the credentials after a 401 will not see the credentials when printing. This could allow user's to leak credentials without realizing it. This is especially true if a user clicks a link and doesn't realize credentials are present in the URI at all. VERSION: Chrome Version: [50.0.2661.10] + stable Operating System: Linux Mint, 17.3. Also tested on Chrome Version: 50.0.2661.102 stable Operating System: OS X Yosemite 10.10.5 REPRODUCTION STEPS For simplicity, we can test this with a local python server included with python that ships with mac and most linux distributions. 1. Set up the server: $ mkdir -p /tmp/serve $ cd /tmp/serve $ python -m SimpleHTTPServer 2. Open the page in chrome with http://username:password@127.0.0.1 3. Right click the page, select "Print" 4. Ensure "Headers and Footers" is checked. You should now be able to see the credentials in the footer of the page. You can also see this behavior with https://username:password@www.google.com Of course www.google.com ignores the HTTP credentials sent this way, but you can see how a server that does rely on HTTP Authentication would be affected. Attached are two pdfs showing the credentials in the footer. Additionally, a python flask application is included to demonstrate how credentials in links may accidentally be exposed.
,
Jun 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c9a049cbb44e89989b77be1fb3a31ff6346ff199 commit c9a049cbb44e89989b77be1fb3a31ff6346ff199 Author: battre <battre@chromium.org> Date: Fri Jun 10 17:48:45 2016 Remove credentials from URL in printed page footer BUG= 618435 Review-Url: https://codereview.chromium.org/2056203002 Cr-Commit-Position: refs/heads/master@{#399223} [modify] https://crrev.com/c9a049cbb44e89989b77be1fb3a31ff6346ff199/chrome/browser/ui/webui/print_preview/print_preview_handler.cc
,
Jun 10 2016
,
Jun 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c9a049cbb44e89989b77be1fb3a31ff6346ff199 commit c9a049cbb44e89989b77be1fb3a31ff6346ff199 Author: battre <battre@chromium.org> Date: Fri Jun 10 17:48:45 2016 Remove credentials from URL in printed page footer BUG= 618435 Review-Url: https://codereview.chromium.org/2056203002 Cr-Commit-Position: refs/heads/master@{#399223} [modify] https://crrev.com/c9a049cbb44e89989b77be1fb3a31ff6346ff199/chrome/browser/ui/webui/print_preview/print_preview_handler.cc |
||
►
Sign in to add a comment |
||
Comment 1 by battre@chromium.org
, Jun 10 2016Labels: -Pri-3 Pri-2
Owner: battre@chromium.org
Status: Started (was: Untriaged)