PasswordMaker Forums

Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension => Bugs => Topic started by: rdebay on November 14, 2008, 06:00:00 PM

Title: IP address parsed improperly
Post by: rdebay on November 14, 2008, 06:00:00 PM
To hash an IP address, you must specify that the subdomain be used.  The decimal points in an IP address don't separate domains, so all four octets should be hashed regardless of which URL components are selected.
Title: Re: IP address parsed improperly
Post by: tanstaafl on November 14, 2008, 06:12:52 PM
Interesting... I've never tried to use pwm on a site accessed by IP, but can certainly see the possibility of doing so in the future...

Hmmm... it seems to work right on the one site I have access too... at least, the 'Using text' field shows 'http://###.###.###.###' (where ###.###.###.### is the IP address of the site I'm on)...

Are you saying that it actually is NOT using this full string to calculate the password?
Title: Re: IP address parsed improperly
Post by: Miquel 'Fire' Burns on November 14, 2008, 06:18:47 PM
I don't think Eric even thought about that (I know I didn't). But then, how offen do you access a site by IP in the first place?

And no, the behavoir I'm getting is that PWM uses the last two parts, not the whole thing (which ironically, is how we refer to IPs here at my job)
Title: Re: IP address parsed improperly
Post by: rdebay on November 14, 2008, 06:21:05 PM
In the downloadable version, the subdomain and domain under URL components must be selected if an IP address is entered in the Input URL field.
Title: Re: IP address parsed improperly
Post by: rdebay on November 14, 2008, 06:30:44 PM
But then, how offen do you access a site by IP in the first place?

Often enough that I noticed it :-)

There are several IP accessible devices that we don't assign names to.  Uninterruptible Power Supplies, for example.
Title: Re: IP address parsed improperly
Post by: tanstaafl on November 14, 2008, 06:37:34 PM
switches, printers... even 'secret' sites that you don't intend for 'public consumption'...
Title: Re: IP address parsed improperly
Post by: Rick DeBay on November 14, 2008, 06:50:56 PM
... even 'secret' sites that you don't intend for 'public consumption'...
Although those 'secret' sites often end up indexed in Google :o
Title: Re: IP address parsed improperly
Post by: tanstaafl on November 14, 2008, 07:43:34 PM
I know...

BASTARDOS!
Title: Re: IP address parsed improperly
Post by: richbeales on November 14, 2008, 08:26:47 PM
Apologies if i'm diving into the code without knowing if this is used in more than one place, however below is a diff of a possible change that could fix this in /chrome/content/passwdmaker/passwdmaker.js:

1022,1054d1021
<     // Check if the domain looks like an IP address
<     // If it is an IP address, then the subdomain / TLD is meaningless
<     var isIpAddress = true;
<     var tempBool = false;
<     if (uriComponents.domains.length == 4 && includeDomain) // IPs always have 4 octets
<     {
<        for (var ip=0; ip<uriComponents.domains.length;i++)
<        {
<           if (0 <= (int)uriComponents.domains[ip] <= 255)
<           {
<              tempBool = true;
<           }
<           else
<           {
<              tempBool = false;
<           }
<           isIpAddress = isIpAddress && tempBool;         
<        }
<     }
<     else
<     {
<        isIpAddress = false;
<     }
<     if (isIpAddress)
<     {
<         for (var i=0; i<4; i++) {
<         ret += uriComponents.domains;
<         // Add a dot if this isn't the final subdomain
<         if (i+1 < 4)
<           ret += ".";
<       }         
<     }
<     else { // continue as normal
1087c1054
<     }
---
>


Again, this hasn't been tested (so may not run, i'm not fully set up to debug the ff version, and not a javascript guru) but should be pretty close and only require a few modifications.  Hope it'll be useful.

Rich.
Title: Re: IP address parsed improperly
Post by: Miquel 'Fire' Burns on November 14, 2008, 09:47:55 PM
Using regex, you get a better check. Question being how detail do you want the regex to be.

Man, I'm hating the lack of free time I have because of my job right now :(

Simple regex string (can catch invalid ips like 999.999.999.999): \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\
One that doesn't catch invalid IPs, I think this may work: ([1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])

Yea, that's ugly. I think I saw one that would be better somewhere though.
Title: Re: IP address parsed improperly
Post by: Eric H. Jung on November 15, 2008, 03:09:29 AM
Miquel, you can write the code more  concisely with a regex, but I'm not convinced such code can provide any "better" of a check than non-reg-ex code. And, in fact, non-reg-ex code is generally faster in javascript than its regex equivalent.You can run a few quick benchmarks like so to see what I mean:

Date t1 = new Date(); // now
// do regex or  non-regex check for ip addresses
dump(new Date() - t1); // msec elapsed

In any case, I'm not particular which way we implement it since this section of code isn't particularly sensitive to posible performance hits.

rich, thanks for the contribution. One of us (or you) needs to test this before committing it, though...