Author: markt Date: Mon Sep 29 19:24:38 2014 New Revision: 1628266 URL: http://svn.apache.org/r1628266 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57027 Add additional validation for stored credentials used by Realms when the credential is stored using hex encoding.
Modified: tomcat/trunk/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java tomcat/trunk/java/org/apache/tomcat/util/buf/HexUtils.java tomcat/trunk/java/org/apache/tomcat/util/buf/LocalStrings.properties tomcat/trunk/test/org/apache/tomcat/util/buf/TestHexUtils.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java?rev=1628266&r1=1628265&r2=1628266&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java (original) +++ tomcat/trunk/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java Mon Sep 29 19:24:38 2014 @@ -150,12 +150,7 @@ public abstract class DigestCredentialHa if (sep1 < 0 || sep2 < 0) { // Stored credentials are invalid // This may be expected if nested credential handlers are being used - if (logInvalidStoredCredentials) { - // Logging credentials could be a security concern but they are - // invalid and that is probably a bigger problem - getLog().warn(sm.getString("credentialHandler.invalidStoredCredential", - storedCredentials)); - } + logInvalidStoredCredentials(storedCredentials); return false; } @@ -164,7 +159,13 @@ public abstract class DigestCredentialHa int iterations = Integer.parseInt(storedCredentials.substring(sep1 + 1, sep2)); String storedHexEncoded = storedCredentials.substring(sep2 + 1); - byte[] salt = HexUtils.fromHexString(hexSalt); + byte[] salt; + try { + salt = HexUtils.fromHexString(hexSalt); + } catch (IllegalArgumentException iae) { + logInvalidStoredCredentials(storedCredentials); + return false; + } String inputHexEncoded = mutate(inputCredentials, salt, iterations); @@ -172,6 +173,16 @@ public abstract class DigestCredentialHa } + private void logInvalidStoredCredentials(String storedCredentials) { + if (logInvalidStoredCredentials) { + // Logging credentials could be a security concern but they are + // invalid and that is probably a bigger problem + getLog().warn(sm.getString("credentialHandler.invalidStoredCredential", + storedCredentials)); + } + } + + /** * Get the default salt length used by the {@link CredentialHandler}. */ Modified: tomcat/trunk/java/org/apache/tomcat/util/buf/HexUtils.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/buf/HexUtils.java?rev=1628266&r1=1628265&r2=1628266&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/buf/HexUtils.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/buf/HexUtils.java Mon Sep 29 19:24:38 2014 @@ -16,6 +16,8 @@ */ package org.apache.tomcat.util.buf; +import org.apache.tomcat.util.res.StringManager; + /** * Tables useful when converting byte arrays to and from strings of hexadecimal * digits. @@ -25,6 +27,8 @@ package org.apache.tomcat.util.buf; */ public final class HexUtils { + private static final StringManager sm = + StringManager.getManager(Constants.Package); // -------------------------------------------------------------- Constants @@ -93,10 +97,21 @@ public final class HexUtils { return null; } + if (input.length() % 2 == 1) { + // Odd number of characters + throw new IllegalArgumentException(sm.getString("hexUtils.fromHex.oddDigits")); + } + char[] inputChars = input.toCharArray(); byte[] result = new byte[input.length() >> 1]; for (int i = 0; i < result.length; i++) { - result[i] = (byte) ((getDec(inputChars[2*i]) << 4) + getDec(inputChars[2*i + 1])); + int upperNibble = getDec(inputChars[2*i]); + int lowerNibble = getDec(inputChars[2*i + 1]); + if (upperNibble < 0 || lowerNibble < 0) { + // Non hex character + throw new IllegalArgumentException(sm.getString("hexUtils.fromHex.nonHex")); + } + result[i] = (byte) ((upperNibble << 4) + lowerNibble); } return result; } Modified: tomcat/trunk/java/org/apache/tomcat/util/buf/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/buf/LocalStrings.properties?rev=1628266&r1=1628265&r2=1628266&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/buf/LocalStrings.properties (original) +++ tomcat/trunk/java/org/apache/tomcat/util/buf/LocalStrings.properties Mon Sep 29 19:24:38 2014 @@ -16,6 +16,8 @@ b2cConverter.unknownEncoding=The character encoding [{0}] is not supported c2bConverter.recycleFailed=Failed to recycle the C2B Converter. Creating new BufferedWriter, WriteConvertor and IntermediateOutputStream. +hexUtils.fromHex.oddDigits=The input must consist of an even number of hex digits +hexUtils.fromHex.nonHex=The input must consist only of hex digits uDecoder.urlDecode.missingDigit=The % character must be followed by two hexademical digits uDecoder.convertHexDigit.notHex=[{0}] is not a hexadecimal digit uDecoder.urlDecode.uee=Unable to URL decode the specified input since the encoding [{0}] is not supported. Modified: tomcat/trunk/test/org/apache/tomcat/util/buf/TestHexUtils.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/buf/TestHexUtils.java?rev=1628266&r1=1628265&r2=1628266&view=diff ============================================================================== --- tomcat/trunk/test/org/apache/tomcat/util/buf/TestHexUtils.java (original) +++ tomcat/trunk/test/org/apache/tomcat/util/buf/TestHexUtils.java Mon Sep 29 19:24:38 2014 @@ -57,4 +57,15 @@ public class TestHexUtils { Assert.assertArrayEquals(TEST02_STRING, TEST02_BYTES, HexUtils.fromHexString(HexUtils.toHexString(TEST02_BYTES))); } + + @Test(expected=IllegalArgumentException.class) + public void testFromHex01() { + HexUtils.fromHexString("Not a hex string"); + } + + @Test(expected=IllegalArgumentException.class) + public void testFromHex02() { + // Odd number of hex characters + HexUtils.fromHexString("aaa"); + } } \ No newline at end of file Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1628266&r1=1628265&r2=1628266&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Mon Sep 29 19:24:38 2014 @@ -76,6 +76,10 @@ name only cookies. (markt) </fix> <fix> + <bug>57027</bug>: Add additional validation for stored credentials used + by Realms when the credential is stored using hex encoding. (markt) + </fix> + <fix> <bug>57038</bug>: Add a <code>WebResource.getCoseBase()</code> method, implement for all <code>WebResource</code> implementations and then use it in the web application class loader to set the correct code base for --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org