Re: [WWWOFFLE-Users] Requesting password protected pages when offline

Sun, 04 Aug 2002 06:45:53 -0700 

Rolf Leggewie <[EMAIL PROTECTED]> writes:

> using WWWOFFLE 2.7c I have some trouble requesting password protected
> pages in offline mode.  I have set WWWOFFLE to "confirm-requests = yes".
> 
> For example, I go to http://quotes.ubs.com/ and try to login in at
> http://quotes.ubs.com/myquotes/Y0=logout/t0=1161232987 I put in the user
> and password in the pop-up window and hit return.  WWWOFFLE logs the
> message "wwwoffles[434353] Information:
> URL='http://quotes.ubs.com/myquotes/Y0=logout/t0=1161232987' (With
> username/password)." on stdout.  The problem is that the confirmation
> page presented is just for the ordinary URL without the user/pass-combo.
> 
> AFAICT, it is impossible to have "confirm-requests = yes" together with
> requests for password-protected pages while offline.  If this is indeed
> correct, I'd like to log this as a bug.  If not, I'd appreciate a
> pointer as to what I am doing wrong.

I have tried everywhere in WWWOFFLE to ensure that the username and
password that you enter stays hidden.  This means that in none of the
indexes or confirmation pages will the username and password appear.
For this reason the confirmation page does not have the username and
password in the URL to be confirmed.

If the username and password were in the URL that you selected to
confirm the request then it is possible that they would also then
appear in the browsers location window.

If you want to take the risk and try this out then the following patch
should be all that you need.  I am not sure that I would want to put
this into WWWOFFLE until I was sure that there were no security
implications.

-------------------- wwwoffles.c patch --------------------
--- wwwoffles.c 2002/07/28 10:07:47     2.214
+++ wwwoffles.c 2002/08/04 14:00:48
@@ -2259,7 +2259,7 @@
       {
        if(ConfigBooleanURL(ConfirmRequests,Url) && !Url->local && (!Url->args || 
*Url->args!='!') && !outgoing_exists)
           HTMLMessage(tmpclient,404,"WWWOFFLE Confirm Request",NULL,"ConfirmRequest",
-                      "url",Url->name,
+                      "url",Url->file,
                       NULL);
        else if(fetch_again)
           HTMLMessage(tmpclient,404,"WWWOFFLE Refresh Will Get",NULL,"RefreshWillGet",
-------------------- wwwoffles.c patch --------------------

-- 
Andrew.
----------------------------------------------------------------------
Andrew M. Bishop                             [EMAIL PROTECTED]
                                      http://www.gedanken.demon.co.uk/

WWWOFFLE users page:
        http://www.gedanken.demon.co.uk/wwwoffle/version-2.7/user.html

Reply via email to