Author: markt
Date: Mon Sep 29 19:24:38 2014
New Revision: 1628266
URL: http://svn.apache.org/r1628266
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57027
Add additional validation for stored credentials used by Realms when the
credential is stored using hex encoding.
Modified:
tomcat/trunk/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java
tomcat/trunk/java/org/apache/tomcat/util/buf/HexUtils.java
tomcat/trunk/java/org/apache/tomcat/util/buf/LocalStrings.properties
tomcat/trunk/test/org/apache/tomcat/util/buf/TestHexUtils.java
tomcat/trunk/webapps/docs/changelog.xml
Modified:
tomcat/trunk/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java?rev=1628266&r1=1628265&r2=1628266&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java
(original)
+++
tomcat/trunk/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java
Mon Sep 29 19:24:38 2014
@@ -150,12 +150,7 @@ public abstract class DigestCredentialHa
if (sep1 < 0 || sep2 < 0) {
// Stored credentials are invalid
// This may be expected if nested credential handlers are being
used
- if (logInvalidStoredCredentials) {
- // Logging credentials could be a security concern but they are
- // invalid and that is probably a bigger problem
-
getLog().warn(sm.getString("credentialHandler.invalidStoredCredential",
- storedCredentials));
- }
+ logInvalidStoredCredentials(storedCredentials);
return false;
}
@@ -164,7 +159,13 @@ public abstract class DigestCredentialHa
int iterations = Integer.parseInt(storedCredentials.substring(sep1 +
1, sep2));
String storedHexEncoded = storedCredentials.substring(sep2 + 1);
- byte[] salt = HexUtils.fromHexString(hexSalt);
+ byte[] salt;
+ try {
+ salt = HexUtils.fromHexString(hexSalt);
+ } catch (IllegalArgumentException iae) {
+ logInvalidStoredCredentials(storedCredentials);
+ return false;
+ }
String inputHexEncoded = mutate(inputCredentials, salt, iterations);
@@ -172,6 +173,16 @@ public abstract class DigestCredentialHa
}
+ private void logInvalidStoredCredentials(String storedCredentials) {
+ if (logInvalidStoredCredentials) {
+ // Logging credentials could be a security concern but they are
+ // invalid and that is probably a bigger problem
+
getLog().warn(sm.getString("credentialHandler.invalidStoredCredential",
+ storedCredentials));
+ }
+ }
+
+
/**
* Get the default salt length used by the {@link CredentialHandler}.
*/
Modified: tomcat/trunk/java/org/apache/tomcat/util/buf/HexUtils.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/buf/HexUtils.java?rev=1628266&r1=1628265&r2=1628266&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/buf/HexUtils.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/buf/HexUtils.java Mon Sep 29
19:24:38 2014
@@ -16,6 +16,8 @@
*/
package org.apache.tomcat.util.buf;
+import org.apache.tomcat.util.res.StringManager;
+
/**
* Tables useful when converting byte arrays to and from strings of hexadecimal
* digits.
@@ -25,6 +27,8 @@ package org.apache.tomcat.util.buf;
*/
public final class HexUtils {
+ private static final StringManager sm =
+ StringManager.getManager(Constants.Package);
// -------------------------------------------------------------- Constants
@@ -93,10 +97,21 @@ public final class HexUtils {
return null;
}
+ if (input.length() % 2 == 1) {
+ // Odd number of characters
+ throw new
IllegalArgumentException(sm.getString("hexUtils.fromHex.oddDigits"));
+ }
+
char[] inputChars = input.toCharArray();
byte[] result = new byte[input.length() >> 1];
for (int i = 0; i < result.length; i++) {
- result[i] = (byte) ((getDec(inputChars[2*i]) << 4) +
getDec(inputChars[2*i + 1]));
+ int upperNibble = getDec(inputChars[2*i]);
+ int lowerNibble = getDec(inputChars[2*i + 1]);
+ if (upperNibble < 0 || lowerNibble < 0) {
+ // Non hex character
+ throw new
IllegalArgumentException(sm.getString("hexUtils.fromHex.nonHex"));
+ }
+ result[i] = (byte) ((upperNibble << 4) + lowerNibble);
}
return result;
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/buf/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/buf/LocalStrings.properties?rev=1628266&r1=1628265&r2=1628266&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/buf/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/buf/LocalStrings.properties Mon
Sep 29 19:24:38 2014
@@ -16,6 +16,8 @@
b2cConverter.unknownEncoding=The character encoding [{0}] is not supported
c2bConverter.recycleFailed=Failed to recycle the C2B Converter. Creating new
BufferedWriter, WriteConvertor and IntermediateOutputStream.
+hexUtils.fromHex.oddDigits=The input must consist of an even number of hex
digits
+hexUtils.fromHex.nonHex=The input must consist only of hex digits
uDecoder.urlDecode.missingDigit=The % character must be followed by two
hexademical digits
uDecoder.convertHexDigit.notHex=[{0}] is not a hexadecimal digit
uDecoder.urlDecode.uee=Unable to URL decode the specified input since the
encoding [{0}] is not supported.
Modified: tomcat/trunk/test/org/apache/tomcat/util/buf/TestHexUtils.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/buf/TestHexUtils.java?rev=1628266&r1=1628265&r2=1628266&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/buf/TestHexUtils.java (original)
+++ tomcat/trunk/test/org/apache/tomcat/util/buf/TestHexUtils.java Mon Sep 29
19:24:38 2014
@@ -57,4 +57,15 @@ public class TestHexUtils {
Assert.assertArrayEquals(TEST02_STRING, TEST02_BYTES,
HexUtils.fromHexString(HexUtils.toHexString(TEST02_BYTES)));
}
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testFromHex01() {
+ HexUtils.fromHexString("Not a hex string");
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testFromHex02() {
+ // Odd number of hex characters
+ HexUtils.fromHexString("aaa");
+ }
}
\ No newline at end of file
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1628266&r1=1628265&r2=1628266&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Sep 29 19:24:38 2014
@@ -76,6 +76,10 @@
name only cookies. (markt)
</fix>
<fix>
+ <bug>57027</bug>: Add additional validation for stored credentials used
+ by Realms when the credential is stored using hex encoding. (markt)
+ </fix>
+ <fix>
<bug>57038</bug>: Add a <code>WebResource.getCoseBase()</code> method,
implement for all <code>WebResource</code> implementations and then use
it in the web application class loader to set the correct code base for
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
