Bug 275033

Summary: Spurious warning from Konqueror (log in with the username "undefined")
Product: konqueror Reporter: András Manţia <amantia>
Component: khtmlAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: amrecio, anders, bugs, cfeck, marcus, martin.ruessler, melendro, mfraz74+kde, paulo.miguel.dias, rdieter
Priority: NOR    
Version: 4.9.2   
Target Milestone: ---   
Platform: Unlisted Binaries   
OS: Linux   
Latest Commit: Version Fixed In: 4.9.5
Attachments: screenshot of dialog launched cause of choqok
screenshot of dialog launced from konqueror at flickr

Description András Manţia 2011-06-06 09:56:37 UTC
Version:           unspecified
OS:                Linux

Recently (from master) I get warning on several sites that look like this:

You are about to log in to the site "9250.cmd.shutterfly.com" with the username "undefined", but the website does not require authentication. This may be an attempt to trick you.
Is "9250.cmd.shutterfly.com" the site you want to visit?

YES / NO

This is unexpected and although it might try to avoid some kind of phising problem, i wonder if this is really done in a good way (I get no such warning from firefox for example).
It happens eg. on http://arkosifeszekrakok.shutterfly.com/pictures/1947#1946 , press the button to go to the next picture, but seen the same on a netbank site, which worked just fine before.

Reproducible: Didn't try
Comment 1 Tommi Tervo 2011-10-26 13:18:25 UTC
*** Bug 277879 has been marked as a duplicate of this bug. ***
Comment 3 Christoph Feck 2011-11-16 09:18:17 UTC
*** Bug 286758 has been marked as a duplicate of this bug. ***
Comment 4 Anders Lund 2011-11-16 09:54:02 UTC
So could that commit be reverted please, untill the functionality is more fixed?
Comment 5 Dawit Alemayehu 2011-11-16 15:39:49 UTC
(In reply to comment #4)
> So could that commit be reverted please, untill the functionality is more
> fixed?

No, that won't be reverted. It does exactly what it is supposed to do. It is khtml that needs to be fixed not to send bogus username and password which causes this warning to be displayed. It sends to following POST request:

post: "http://undefined:undefined@66119.cmd.shutterfly.com/commands/pictures/getdetail?site=arkosifeszekrakok&"

The "undefined:undefined@" is simply bogus and results in the aforementioned warning. This does not happen in any other browser, including Konqueror + webkit engine.
Comment 6 Anders Lund 2011-11-16 17:15:03 UTC
The dialog does popup with konqueror, so SOMETHING is sending a misformed request. It also happens with choqok, which doesn't use khtml for anything afaik. But then that might ALSO send a misformed request.

I suppose there is a way to see those requests in the debug output? Or somehow else? because the situation is that this problem is one of those getting in the way of KDE being able to provide an acceptable/usable desktop, so it must be stoppen ASAP!!
Comment 7 Mark Fraser 2011-11-16 17:30:37 UTC
It happens with Choqok if you set up an opendesktop.org account under account details in settings.
Comment 8 Anders Lund 2011-11-16 19:20:05 UTC
Created attachment 65755 [details]
screenshot of dialog launched cause of choqok

The screenshot is in danish, but you can see that the username is not "undefined".
Comment 9 Anders Lund 2011-11-16 19:28:47 UTC
Created attachment 65756 [details]
screenshot of dialog launced from konqueror at flickr

Here I am at flickr.com using konqueror/khtml. I edit the text of an image, and press the SAVE button. This is AJAX functionality, the text is saved witout the browser location being replaced. Of course I AM already being logged into flickr.com. The username is not shown as "undefined" here either.

If the bug is in khtml, it needs to be located and fixed, please help!
Comment 10 Dawit Alemayehu 2011-11-16 20:02:41 UTC
Git commit 86e07ecda06d7bfae577f186eb948d958222713c by Dawit Alemayehu.
Committed on 16/11/2011 at 20:53.
Pushed by adawit into branch 'KDE/4.7'.

Workaround brain dead clients that set the username and password of the
request URL to "undefined".

CCBUG: 275033

M  +6    -0    kioslave/http/http.cpp

http://commits.kde.org/kdelibs/86e07ecda06d7bfae577f186eb948d958222713c
Comment 11 Anders Lund 2011-11-16 22:13:24 UTC
Dawit, Thanks for improving this a bit!

I hope however that those clients can be fixed, to my knowledge khtml and choqok ocs plugin. Maybe individual reports are called for.
Comment 12 Dawit Alemayehu 2011-11-17 01:32:42 UTC
(In reply to comment #11)
> Dawit, Thanks for improving this a bit!
> 
> I hope however that those clients can be fixed, to my knowledge khtml and
> choqok ocs plugin. Maybe individual reports are called for.

I agree. We can always revert back the workaround in kio_http once the offending apps and libraries are fixed.
Comment 13 Christoph Feck 2011-11-22 21:58:55 UTC
The attica bug 277879 had been marked as a duplicate of this one, but appearantly, attica is doing something wrong (not that I really understand what). Does bug 277879 have to be reopened for attica? If yes, can someone add a comment to that bug what needs to be changed in attica?
Comment 14 Anders Lund 2011-12-31 08:03:24 UTC
This is still a problem for me using KDE 4.7.4, I get that dialog from both 
choqok and from konqueror (using KHTML) when visiting flickr and several other 
sites.

Venlig hilsen,
Anders
Comment 15 Melendro 2012-03-08 19:00:57 UTC
Still happening from time to time when plasma tries to connect to api.opendesktop.org
It's really annoying.
Any news from this 9 months old bug?
Comment 16 Martin 2012-06-30 09:51:43 UTC
This is still valid in Plasma 4.8.90 (4.9 beta 2) when I use GHNS.
Comment 17 Graeme Hewson 2012-10-10 05:03:23 UTC
Still happening in 4.9.2.

The username is "null", not "undefined". Going to http://www.open.ac.uk/, the popup says 'You are about to log in to the site "www.open.ac.uk" with the username "null", but the website does not require authentication. This may be an attempt to trick you. Is "www.open.ac.uk" the site you want to visit?'

I traced the network with Wireshark, and there is no bogus username/password being sent. There are two TCP streams:

TCP stream 1:

GET / HTTP/1.1
Host: www.open.ac.uk
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) KHTML/4.9.2 (like Gecko) Konqueror/4.9
If-None-Match: "b78384-4b18-55cf15c0"
Accept: text/html, text/*;q=0.9, image/jpeg;q=0.9, image/png;q=0.9, image/*;q=0.9, */*;q=0.8
Accept-Encoding: gzip, deflate, x-gzip, x-deflate
Accept-Charset: utf-8,*;q=0.5
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: MoodleSessionTestol=f8lXBDMPUA; MoodleSessionol=npv511samvldhgojh92qm32807; OUFULLSIZE=F

HTTP/1.1 304 Not Modified
Date: Wed, 10 Oct 2012 04:50:04 GMT
Server: Apache
nnCoection: close
ETag: "b78384-4b18-55cf15c0"

TCP stream 2:

GET /includes/ip.shtm HTTP/1.1
Host: www.open.ac.uk
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) KHTML/4.9.2 (like Gecko) Konqueror/4.9
Referer: http://www.open.ac.uk/
Accept: text/html, text/*;q=0.9, image/jpeg;q=0.9, image/png;q=0.9, image/*;q=0.9, */*;q=0.8
Accept-Encoding: gzip, deflate, x-gzip, x-deflate
Accept-Charset: utf-8,*;q=0.5
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: MoodleSessionTestol=f8lXBDMPUA; MoodleSessionol=npv511samvldhgojh92qm32807; OUFULLSIZE=F

HTTP/1.1 200 OK
Date: Wed, 10 Oct 2012 04:50:04 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 36
nnCoection: close
Content-Type: text/html

||*137.108.140.184*|*46.64.79.164*||

=== End ===

I notice the server is sending strange "nnCoection: close" headers. Is this relevant, perhaps? Possible explanation for the headers here (to do with load balancers): http://stackoverflow.com/questions/4798461/cneonction-and-nncoection-http-headers
Comment 18 Graeme Hewson 2012-10-10 05:22:13 UTC
I also traced the network without Konqueror caching. Again, there are no bogus HTTP requests (and all the requests are GETs; there are no POSTs).
Comment 19 Graeme Hewson 2012-10-11 16:17:34 UTC
Confirmed by debugging kio_http that Konqueror is not sending a spurious username/password to kio_http.
Comment 20 Graeme Hewson 2012-10-11 16:47:18 UTC
It showed up in kio_http_debug, though (see 3rd line):

kio_http(15623)/kio_http_debug HTTPProtocol::setHost: Hostname is now: "www.open.ac.uk" ( "www.open.ac.uk" )
kio_http(15623)/kio_http_debug HTTPProtocol::get: "http://null:null@www.open.ac.uk/includes/ip.shtm"
kio_http(15623)/kio_http_debug HTTPProtocol::maybeSetRequestUrl: "http://null:null@www.open.ac.uk/includes/ip.shtm"
kio_http(15623)/kio_http_debug HTTPProtocol::resetSessionSettings: Window Id = ""
kio_http(15623)/kio_http_debug HTTPProtocol::resetSessionSettings: ssl_was_in_use = ""
kio_http(15623)/kio_http_debug HTTPProtocol::proceedUntilResponseContent:
kio_http(15623)/kio_http_debug HTTPProtocol::proceedUntilResponseHeader:
kio_http(15623)/kio_http_debug HTTPProtocol::sendQuery:
kio_http(15623)/kio_http_debug HTTPProtocol::httpShouldCloseConnection:
kio_http(15623)/kio_http_debug HTTPProtocol::satisfyRequestFromCache:
kio_http(15623) HTTPProtocol::sendQuery: ============ Sending Header:
kio_http(15623) HTTPProtocol::sendQuery: "GET /includes/ip.shtm HTTP/1.1"
kio_http(15623) HTTPProtocol::sendQuery: "Host: www.open.ac.uk"
kio_http(15623) HTTPProtocol::sendQuery: "Connection: keep-alive"
kio_http(15623) HTTPProtocol::sendQuery: "User-Agent: Mozilla/5.0 (X11; Linux x86_64) KHTML/4.9.2 (like Gecko) Konqueror/4.9"
kio_http(15623) HTTPProtocol::sendQuery: "Referer: http://www.open.ac.uk/"
kio_http(15623) HTTPProtocol::sendQuery: "Pragma: no-cache"
kio_http(15623) HTTPProtocol::sendQuery: "Cache-control: no-cache"
kio_http(15623) HTTPProtocol::sendQuery: "Accept: text/html, text/*;q=0.9, image/jpeg;q=0.9, image/png;q=0.9, image/*;q=0.9, */*;q=0.8"
kio_http(15623) HTTPProtocol::sendQuery: "Accept-Encoding: gzip, deflate, x-gzip, x-deflate"
kio_http(15623) HTTPProtocol::sendQuery: "Accept-Charset: utf-8,*;q=0.5"
kio_http(15623) HTTPProtocol::sendQuery: "Accept-Language: en-GB,en-US;q=0.9,en;q=0.8"
kio_http(15623)/kio_http_debug HTTPProtocol::sendQuery: sent it!
kio_http(15623)/kio_http_debug HTTPProtocol::readResponseHeader:
kio_http(15621) HTTPProtocol::readResponseHeader: ============ Received Status Response:
kio_http(15621) HTTPProtocol::readResponseHeader: "HTTP/1.1 200 OK"
Comment 21 Marcus Harrison 2012-12-17 09:26:47 UTC
(In reply to comment #8)
> Created attachment 65755 [details]
> screenshot of dialog launched cause of choqok
> 
> The screenshot is in danish, but you can see that the username is not
> "undefined".

I was about to open a new bug report for this situation, as this has been happening long before this bug had surfaced. It also occurs when a remote WebDAV resource is configured in remote:/, and when one has an OpenDesktop account configured then goes to a Get Hot New Stuff dialogue.

I believe these two issues are unrelated.
Comment 22 Andrea Iacovitti 2012-12-18 21:46:38 UTC
Git commit 32f16e261596445a04282f13303e8dbc35ce7a23 by Andrea Iacovitti.
Committed on 18/12/2012 at 22:43.
Pushed by aiacovitti into branch 'KDE/4.9'.

Fix setting url userinfo in xmlhttprequest.
FIXED-IN: 4.9.5

M  +10   -7    khtml/ecma/xmlhttprequest.cpp

http://commits.kde.org/kdelibs/32f16e261596445a04282f13303e8dbc35ce7a23
Comment 23 Andrea Iacovitti 2012-12-24 21:00:50 UTC
Git commit 7dc7d647cb17b3feabd4a00abaca1a678398835a by Andrea Iacovitti.
Committed on 24/12/2012 at 21:56.
Pushed by aiacovitti into branch 'KDE/4.9'.

Remove the workaround for bug 275033 now that khtml has been fixed
(This revert kdelibs commit 86e07ecd)

M  +0    -6    kioslave/http/http.cpp

http://commits.kde.org/kdelibs/7dc7d647cb17b3feabd4a00abaca1a678398835a