Author: markt
Date: Tue Jun 12 13:26:10 2012
New Revision: 1349321
URL: http://svn.apache.org/viewvc?rev=1349321&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=52954
Be tolerant of slightly broken Android implementation of DIGEST auth. Security
is not impacted.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1349317
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?rev=1349321&r1=1349320&r2=1349321&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
Tue Jun 12 13:26:10 2012
@@ -580,7 +580,23 @@ public class DigestAuthenticator extends
uriQuery = request.getRequestURI() + "?" + query;
}
if (!uri.equals(uriQuery)) {
- return false;
+ // Some clients (older Android) use an absolute URI for
+ // DIGEST but a relative URI in the request line.
+ // request. 2.3.5 < fixed Android version <= 4.0.3
+ String host = request.getHeader("host");
+ String scheme = request.getScheme();
+ if (host != null && !uriQuery.startsWith(scheme)) {
+ StringBuilder absolute = new StringBuilder();
+ absolute.append(scheme);
+ absolute.append("://");
+ absolute.append(host);
+ absolute.append(uriQuery);
+ if (!uri.equals(absolute.toString())) {
+ return false;
+ }
+ } else {
+ return false;
+ }
}
}
@@ -642,7 +658,9 @@ public class DigestAuthenticator extends
if (cnonce == null || nc == null) {
return false;
}
- if (nc.length() != 8) {
+ // RFC 2617 says nc must be 8 digits long. Older Android
clients
+ // use 6. 2.3.5 < fixed Android version <= 4.0.3
+ if (nc.length() < 6 || nc.length() > 8) {
return false;
}
long count;
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1349321&r1=1349320&r2=1349321&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Tue Jun 12 13:26:10 2012
@@ -60,6 +60,11 @@
<bug>52055</bug>: An additional fix to ensure that the
ChunkedInputFilter is correctly recycled. (markt)
</fix>
+ <add>
+ <bug>52954</bug>: Make DIGEST authentication tolerant of clients
(mainly
+ older Android implementations) that do not follow RFC 2617 exactly.
+ (markt)
+ </add>
<update>
<bug>52955</bug>: Implement custom thread factory for container
start-stop thread pool. It allows to use daemon threads and give
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
