This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 17208c645d68d2af1444ee8c64f36a9b8f0ba76f
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Apr 13 12:20:06 2021 +0100
Expand tests and fix escaping issue in userRoleAttribute filter
---
java/org/apache/catalina/realm/JNDIRealm.java | 6 ++++--
test/org/apache/catalina/realm/TestJNDIRealmIntegration.java | 8 +++++---
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index cdb9f9e..59a56d8 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1883,11 +1883,13 @@ public class JNDIRealm extends RealmBase {
return list;
}
- // Set up parameters for an appropriate search
+ // Set up parameters for an appropriate search filter
+ // The dn is already attribute value escaped but the others are not
+ // This is a filter so all input will require filter escaping
String filter = connection.roleFormat.format(new String[] {
doFilterEscaping(dn),
doFilterEscaping(doAttributeValueEscaping(username)),
- userRoleId });
+ doFilterEscaping(doAttributeValueEscaping(userRoleId)) });
SearchControls controls = new SearchControls();
if (roleSubtree) {
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
index 3d9969e..8302e47 100644
--- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
+++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
@@ -48,13 +48,14 @@ public class TestJNDIRealmIntegration {
private static final String USER_BASE = "ou=people,dc=example,dc=com";
private static final String ROLE_SEARCH_A = "member={0}";
private static final String ROLE_SEARCH_B =
"member=cn={1},ou=people,dc=example,dc=com";
+ private static final String ROLE_SEARCH_C =
"member=cn={2},ou=people,dc=example,dc=com";
private static InMemoryDirectoryServer ldapServer;
@Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]")
public static Collection<Object[]> parameters() {
List<Object[]> parameterSets = new ArrayList<>();
- for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B
}) {
+ for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B,
ROLE_SEARCH_C }) {
addUsers(USER_PATTERN, null, null, roleSearch, parameterSets);
addUsers(null, USER_SEARCH, USER_BASE, roleSearch, parameterSets);
}
@@ -128,6 +129,7 @@ public class TestJNDIRealmIntegration {
try (LDAPConnection conn = ldapServer.getConnection()) {
+ // Note: Only the DNs need attribute value escaping
AddRequest addBase = new AddRequest(
"dn: dc=example,dc=com",
"objectClass: top",
@@ -159,7 +161,7 @@ public class TestJNDIRealmIntegration {
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
- "cn: t\\;",
+ "cn: t;",
"sn: Tsemicolon",
"userPassword: test");
result = conn.processOperation(addUserTestSemicolon);
@@ -170,7 +172,7 @@ public class TestJNDIRealmIntegration {
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
- "cn: t\\*",
+ "cn: t*",
"sn: Tasterisk",
"userPassword: test");
result = conn.processOperation(addUserTestAsterisk);
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
