[Cyberduck-trac] [Cyberduck] #9073: BasicAuth header being sent on first request
Cyberduck
trac at trac.cyberduck.io
Tue Oct 27 07:59:53 UTC 2015
#9073: BasicAuth header being sent on first request
------------------------------+----------------------------
Reporter: rok | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: mountain duck | Version: 4.7.3
Severity: normal | Keywords:
Architecture: Intel | Platform: Mac OS X 10.11
------------------------------+----------------------------
In Mountain Duck the BasicAuth header is being sent on first try unlike on
Cyberduck, where it tries to login anonymously. So if for an instance you
decide to return 403 forbidden error on server in case a user tries to
access WebDAV through HTTP it simply aborts the login process in Cyberduck
and the user credentials are not being sent. However that is not the case
with Mountain duck. I do notice that it warns the user about sending
username and password in plain text, but there could be another layer of
security that at first tries to connect to server over HTTP and if it gets
Forbidden or some sort of an error that it displays it to the user,
instead of blindly sending the BasicAuth credentials.
--
Ticket URL: <https://trac.cyberduck.io/ticket/9073>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list