Author Topic: IP address parsed improperly  (Read 11015 times)

Offline rdebay

  • Jr. Member
  • **
  • Posts: 19
IP address parsed improperly
« on: November 14, 2008, 06:00:00 PM »
To hash an IP address, you must specify that the subdomain be used.  The decimal points in an IP address don't separate domains, so all four octets should be hashed regardless of which URL components are selected.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: IP address parsed improperly
« Reply #1 on: November 14, 2008, 06:12:52 PM »
Interesting... I've never tried to use pwm on a site accessed by IP, but can certainly see the possibility of doing so in the future...

Hmmm... it seems to work right on the one site I have access too... at least, the 'Using text' field shows 'http://###.###.###.###' (where ###.###.###.### is the IP address of the site I'm on)...

Are you saying that it actually is NOT using this full string to calculate the password?
« Last Edit: November 14, 2008, 06:35:55 PM by tanstaafl »

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Re: IP address parsed improperly
« Reply #2 on: November 14, 2008, 06:18:47 PM »
I don't think Eric even thought about that (I know I didn't). But then, how offen do you access a site by IP in the first place?

And no, the behavoir I'm getting is that PWM uses the last two parts, not the whole thing (which ironically, is how we refer to IPs here at my job)
"I'm not drunk, just sleep deprived."

Offline rdebay

  • Jr. Member
  • **
  • Posts: 19
Re: IP address parsed improperly
« Reply #3 on: November 14, 2008, 06:21:05 PM »
In the downloadable version, the subdomain and domain under URL components must be selected if an IP address is entered in the Input URL field.

Offline rdebay

  • Jr. Member
  • **
  • Posts: 19
Re: IP address parsed improperly
« Reply #4 on: November 14, 2008, 06:30:44 PM »
But then, how offen do you access a site by IP in the first place?

Often enough that I noticed it :-)

There are several IP accessible devices that we don't assign names to.  Uninterruptible Power Supplies, for example.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: IP address parsed improperly
« Reply #5 on: November 14, 2008, 06:37:34 PM »
switches, printers... even 'secret' sites that you don't intend for 'public consumption'...

Rick DeBay

  • Guest
Re: IP address parsed improperly
« Reply #6 on: November 14, 2008, 06:50:56 PM »
... even 'secret' sites that you don't intend for 'public consumption'...
Although those 'secret' sites often end up indexed in Google :o

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: IP address parsed improperly
« Reply #7 on: November 14, 2008, 07:43:34 PM »
I know...

BASTARDOS!

Offline richbeales

  • Normal Members
  • *
  • Posts: 4
Re: IP address parsed improperly
« Reply #8 on: November 14, 2008, 08:26:47 PM »
Apologies if i'm diving into the code without knowing if this is used in more than one place, however below is a diff of a possible change that could fix this in /chrome/content/passwdmaker/passwdmaker.js:

1022,1054d1021
<     // Check if the domain looks like an IP address
<     // If it is an IP address, then the subdomain / TLD is meaningless
<     var isIpAddress = true;
<     var tempBool = false;
<     if (uriComponents.domains.length == 4 && includeDomain) // IPs always have 4 octets
<     {
<        for (var ip=0; ip<uriComponents.domains.length;i++)
<        {
<           if (0 <= (int)uriComponents.domains[ip] <= 255)
<           {
<              tempBool = true;
<           }
<           else
<           {
<              tempBool = false;
<           }
<           isIpAddress = isIpAddress && tempBool;         
<        }
<     }
<     else
<     {
<        isIpAddress = false;
<     }
<     if (isIpAddress)
<     {
<         for (var i=0; i<4; i++) {
<         ret += uriComponents.domains;
<         // Add a dot if this isn't the final subdomain
<         if (i+1 < 4)
<           ret += ".";
<       }         
<     }
<     else { // continue as normal
1087c1054
<     }
---
>


Again, this hasn't been tested (so may not run, i'm not fully set up to debug the ff version, and not a javascript guru) but should be pretty close and only require a few modifications.  Hope it'll be useful.

Rich.

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Re: IP address parsed improperly
« Reply #9 on: November 14, 2008, 09:47:55 PM »
Using regex, you get a better check. Question being how detail do you want the regex to be.

Man, I'm hating the lack of free time I have because of my job right now :(

Simple regex string (can catch invalid ips like 999.999.999.999): \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\
One that doesn't catch invalid IPs, I think this may work: ([1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])

Yea, that's ugly. I think I saw one that would be better somewhere though.
« Last Edit: November 14, 2008, 09:53:11 PM by Miquel 'Fire' Burns »
"I'm not drunk, just sleep deprived."

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Re: IP address parsed improperly
« Reply #10 on: November 15, 2008, 03:09:29 AM »
Miquel, you can write the code more  concisely with a regex, but I'm not convinced such code can provide any "better" of a check than non-reg-ex code. And, in fact, non-reg-ex code is generally faster in javascript than its regex equivalent.You can run a few quick benchmarks like so to see what I mean:

Date t1 = new Date(); // now
// do regex or  non-regex check for ip addresses
dump(new Date() - t1); // msec elapsed

In any case, I'm not particular which way we implement it since this section of code isn't particularly sensitive to posible performance hits.

rich, thanks for the contribution. One of us (or you) needs to test this before committing it, though...
« Last Edit: November 15, 2008, 03:11:36 AM by Eric H. Jung »

PasswordMaker Forums

Re: IP address parsed improperly
« Reply #10 on: November 15, 2008, 03:09:29 AM »