Double requests being sent to server with auth

[mitchellsundt]

Migrated to getodk/collect#40 by spacetelescope/github-issues-import

Originally reported on Google Code with ID 281

What steps will reproduce the problem?
1. Upload a form to any auth-enabled server
2.
3.

What is the expected output? What do you see instead?
One would expect one HEAD to get the 401, then another HEAD with the proper credentials,
and then one POST to do the upload. Instead two POSTs are being sent. So evidently
the credentials are not being sent preemptively.

What version of the product are you using? On what operating system?
1.1.7RC, Android 2.3.4

Please provide any additional information below.

Reported by tomsmyth on 2011-07-28 15:59:13

[mitchellsundt]

Migrated to opendatakit/collect#40 (comment) by spacetelescope/github-issues-import

Fixed with this patch. I think this should be classified as an enhancement.

Reported by tomsmyth on 2011-07-28 16:02:59

---

- _Attachment: [diff.diff](https://storage.googleapis.com/google-code-attachments/opendatakit/issue-281/comment-1/diff.diff)_

[mitchellsundt]

Migrated to opendatakit/collect#40 (comment) by spacetelescope/github-issues-import

Reported by wbrunette on 2011-07-29 00:27:18

• Labels added: Type-Enhancement, Collect
• Labels removed: Type-Defect

[mitchellsundt]

Migrated to opendatakit/collect#40 (comment) by spacetelescope/github-issues-import

"The patch should probably be changed to do preemptive auth only if the target host
port is 8443 or 443; what we really want to do is only send credentials if the intended
scheme is https, but I don't know how to do that."
-- mitch

Reported by yanokwa on 2011-07-29 20:46:37

[mitchellsundt]

Migrated to opendatakit/collect#40 (comment) by spacetelescope/github-issues-import

This issue was closed by revision 9b24ad8c72e0.

Reported by carlhartung on 2011-09-27 21:58:26

• Status changed: Fixed

[mitchellsundt]

Migrated to opendatakit/collect#40 (comment) by spacetelescope/github-issues-import

I realized I attached the wrong patch to this. The proper one is attached to this message.
It includes a new function in WebUtils.java.

I'm not quite sure I understand Mitch's comment above. If I did perhaps I could suggest
something.

Reported by tomsmyth on 2011-10-20 15:12:54

---

- _Attachment: [preemptive-auth.patch](https://storage.googleapis.com/google-code-attachments/opendatakit/issue-281/comment-5/preemptive-auth.patch)_

[mitchellsundt]

Migrated to opendatakit/collect#40 (comment) by spacetelescope/github-issues-import

The issue with your patch is that you don't check that the communications channel is
running within an HTTPS pipe before proactively attaching the username and password.
 Basic auth credentials are sent in plaintext (base64 encoded). By not first ensuring
you are operating within an HTTPS pipe, you have ended up broadcasting your username
and password, in plaintext, to the world.

Not sure what fix carl and yaw implemented, but a simple check to mitigate this erroneous
wide disclosure of username and password is to first ensure that the server is being
contacted on port 443 or 8443; those are, by convention, the https and non-privileged
alternate https ports for a webserver.

Reported by mitchellsundt on 2011-10-20 17:12:53

[mitchellsundt]

Migrated to opendatakit/collect#40 (comment) by spacetelescope/github-issues-import

I understand what you're saying now. I'll take a crack at this and get back to y'all.

Reported by tomsmyth on 2011-10-20 18:42:57

[mitchellsundt]

Migrated to opendatakit/collect#40 (comment) by spacetelescope/github-issues-import

Reported by yanokwa on 2011-10-20 20:47:36

• Status changed: Accepted

[mitchellsundt]

Migrated to opendatakit/collect#40 (comment) by spacetelescope/github-issues-import

I think a change accomplishing this was checked into the code base and is already in
the mainline.

Reported by mitchellsundt on 2011-10-20 20:54:39

[mitchellsundt]

Migrated to opendatakit/collect#40 (comment) by spacetelescope/github-issues-import

I believe that was on a different but related issue. I have checked the trunk and this
issue still exists. My patch fixes it, but your earlier comment still applies and I
will address it when I get time.

Reported by tomsmyth on 2011-10-21 02:12:44

[mitchellsundt]

Migrated to opendatakit/collect#40 (comment) by spacetelescope/github-issues-import

Reported by yanokwa on 2012-05-25 20:10:08