DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18355>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18355 HttpState cannot differentiate credentials for different hosts with same Realm names ------- Additional Comments From [EMAIL PROTECTED] 2003-04-03 10:26 ------- Hmm, I believe I've just experienced a solid teaching in basic Java... There were a couple of problems with the class Oleg sent through that took me quite a while to work out. Firstly, when I switched to using it, the credential matching routine didn't work. Turns out that equals will return true in cases where the hashCodes don't match (particularly the case where one object has a null realm and the other doesn't). So the comparison logic has to remain in HttpState by trying a HttpAuthRealm with host and realm, then with null realm, then with null host then with both null. Secondly, my test case for the spoofed realm exploit Chris Brown pointed out still failed. The reason is because HashMap only compares the hashCodes of the objects and never consults equals. The hashCode did not include the realm if it was null (and likewise for the domain). This then resulted in: new HttpAuthRealm(null, "admin.apache.org").hashCode() == new HttpAuthRealm ("admin.apache.org", null) coming down to "admin.apache.org".hashCode() == "admin.apache.org".hashCode() which of course returns true. I've now modified the class to always add the host and realm regardless of whether they are null or not. Thus the comparison for the above case becomes: "nulladmin.appache.org".hashCode() == "admin.apache.orgnull".hashCode() and avoids the exploit. (Notice that titling the realm "admin.apache.orgnull" would not help either since it would become "nulladmin.apache.org"). Since the whole process is now effectively back to String comparisons I've removed the use of HttpAuthRealm again and all tests still pass (including the spoof vulnerability test). --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]