You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sc...@apache.org on 2022/08/08 16:57:51 UTC
[tomcat] branch 10.0.x updated (53ba52616d -> 170331b7c8)
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a change to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from 53ba52616d Fix another edge case spotted by Han Li
new cb5052b284 Propertly-escape role and group information when writing MemoryUserDatabase to an XML file.
new 6e39b23cae Move logic to export MemoryUserDatabase to XML to be completely inside MemoryUserDatabase.save().
new 170331b7c8 Fix typo
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
java/org/apache/catalina/users/MemoryGroup.java | 12 ++--
java/org/apache/catalina/users/MemoryRole.java | 8 ++-
java/org/apache/catalina/users/MemoryUser.java | 2 +
.../apache/catalina/users/MemoryUserDatabase.java | 72 +++++++++++++++++++---
.../catalina/users/MemoryUserDatabaseTests.java | 40 ++++++++++++
webapps/docs/changelog.xml | 9 +++
6 files changed, 126 insertions(+), 17 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/03: Fix typo
Posted by sc...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 170331b7c8a30b76c6ab33c2eb738703490be919
Author: Christopher Schultz <ch...@christopherschultz.net>
AuthorDate: Thu Aug 4 13:25:45 2022 -0400
Fix typo
---
webapps/docs/changelog.xml | 1 +
1 file changed, 1 insertion(+)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e773afde8e..444c8b1de4 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -127,6 +127,7 @@
Move control of XML-export logic from individual support classes into
MemoryUserDatabase.save(). Deprecate and discontinue use of MemoryUser,
MemoryRole, and MemoryGroup classes. (schultz)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/03: Move logic to export MemoryUserDatabase to XML to be completely inside MemoryUserDatabase.save().
Posted by sc...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 6e39b23caeab8c6bffdac6775828f83c311cb128
Author: Christopher Schultz <ch...@christopherschultz.net>
AuthorDate: Wed Aug 3 13:30:18 2022 -0400
Move logic to export MemoryUserDatabase to XML to be completely inside MemoryUserDatabase.save().
Also deprecated and discontinue usage of MemoryUSer, MemoryRole, and MemoryGroup classes.
---
java/org/apache/catalina/users/MemoryGroup.java | 2 +
java/org/apache/catalina/users/MemoryRole.java | 2 +
java/org/apache/catalina/users/MemoryUser.java | 2 +
.../apache/catalina/users/MemoryUserDatabase.java | 72 +++++++++++++++++++---
webapps/docs/changelog.xml | 6 +-
5 files changed, 73 insertions(+), 11 deletions(-)
diff --git a/java/org/apache/catalina/users/MemoryGroup.java b/java/org/apache/catalina/users/MemoryGroup.java
index dfd02c4dcf..9de5b959f9 100644
--- a/java/org/apache/catalina/users/MemoryGroup.java
+++ b/java/org/apache/catalina/users/MemoryGroup.java
@@ -28,7 +28,9 @@ import org.apache.tomcat.util.security.Escape;
*
* @author Craig R. McClanahan
* @since 4.1
+ * @deprecated Use {@link GenericGroup} instead.
*/
+@Deprecated
public class MemoryGroup extends GenericGroup<MemoryUserDatabase> {
diff --git a/java/org/apache/catalina/users/MemoryRole.java b/java/org/apache/catalina/users/MemoryRole.java
index 3f0f5855c7..08f6cec0bf 100644
--- a/java/org/apache/catalina/users/MemoryRole.java
+++ b/java/org/apache/catalina/users/MemoryRole.java
@@ -26,7 +26,9 @@ import org.apache.tomcat.util.security.Escape;
*
* @author Craig R. McClanahan
* @since 4.1
+ * @deprecated Use {@link GenericRole} instead.
*/
+@Deprecated
public class MemoryRole extends GenericRole<MemoryUserDatabase> {
diff --git a/java/org/apache/catalina/users/MemoryUser.java b/java/org/apache/catalina/users/MemoryUser.java
index f271fb2b3f..4d241fe6f5 100644
--- a/java/org/apache/catalina/users/MemoryUser.java
+++ b/java/org/apache/catalina/users/MemoryUser.java
@@ -27,7 +27,9 @@ import org.apache.tomcat.util.security.Escape;
*
* @author Craig R. McClanahan
* @since 4.1
+ * @deprecated Use {@link GenericUser} instead.
*/
+@Deprecated
public class MemoryUser extends GenericUser<MemoryUserDatabase> {
diff --git a/java/org/apache/catalina/users/MemoryUserDatabase.java b/java/org/apache/catalina/users/MemoryUserDatabase.java
index 207dec3010..9c0ce74851 100644
--- a/java/org/apache/catalina/users/MemoryUserDatabase.java
+++ b/java/org/apache/catalina/users/MemoryUserDatabase.java
@@ -45,6 +45,7 @@ import org.apache.tomcat.util.digester.Digester;
import org.apache.tomcat.util.file.ConfigFileLoader;
import org.apache.tomcat.util.file.ConfigurationSource;
import org.apache.tomcat.util.res.StringManager;
+import org.apache.tomcat.util.security.Escape;
import org.xml.sax.Attributes;
/**
@@ -295,7 +296,7 @@ public class MemoryUserDatabase implements UserDatabase {
throw new IllegalArgumentException(msg);
}
- MemoryGroup group = new MemoryGroup(this, groupname, description);
+ Group group = new GenericGroup(this, groupname, description, null);
readLock.lock();
try {
groups.put(group.getGroupname(), group);
@@ -320,7 +321,7 @@ public class MemoryUserDatabase implements UserDatabase {
throw new IllegalArgumentException(msg);
}
- MemoryRole role = new MemoryRole(this, rolename, description);
+ Role role = new GenericRole(this, rolename, description);
readLock.lock();
try {
roles.put(role.getRolename(), role);
@@ -347,7 +348,7 @@ public class MemoryUserDatabase implements UserDatabase {
throw new IllegalArgumentException(msg);
}
- MemoryUser user = new MemoryUser(this, username, password, fullName);
+ User user = new GenericUser(this, username, password, fullName, null, null);
readLock.lock();
try {
users.put(user.getUsername(), user);
@@ -597,19 +598,70 @@ public class MemoryUserDatabase implements UserDatabase {
// Print entries for each defined role, group, and user
Iterator<?> values = null;
values = getRoles();
- while (values.hasNext()) {
- writer.print(" ");
- writer.println(values.next());
+ while(values.hasNext()) {
+ Role role = (Role)values.next();
+ writer.print(" <role rolename=\"");
+ writer.print(Escape.xml(role.getRolename()));
+ writer.print("\"");
+ if(null != role.getDescription()) {
+ writer.print(" description=\"");
+ writer.print(Escape.xml(role.getDescription()));
+ writer.print("\"");
+ }
+ writer.println("/>");
}
values = getGroups();
while (values.hasNext()) {
- writer.print(" ");
- writer.println(values.next());
+ Group group = (Group)values.next();
+ writer.print(" <group groupname=\"");
+ writer.print(Escape.xml(group.getName()));
+ writer.print("\"");
+ if(null != group.getDescription()) {
+ writer.print(" description=\"");
+ writer.print(Escape.xml(group.getDescription()));
+ writer.print("\"");
+ }
+ writer.print(" roles=\"");
+ for(Iterator<Role> roles=group.getRoles(); roles.hasNext(); ) {
+ Role role = roles.next();
+ writer.print(Escape.xml(role.getRolename()));
+ if(roles.hasNext()) {
+ writer.print(',');
+ }
+ }
+ writer.println("\"/>");
}
+
values = getUsers();
while (values.hasNext()) {
- writer.print(" ");
- writer.println(((MemoryUser) values.next()).toXml());
+ User user = (User)values.next();
+ writer.print(" <user username=\"");
+ writer.print(Escape.xml(user.getUsername()));
+ writer.print("\" password=\"");
+ writer.print(Escape.xml(user.getPassword()));
+ writer.print("\"");
+ if(null != user.getFullName()) {
+ writer.print(" fullName=\"");
+ writer.print(Escape.xml(user.getFullName()));
+ writer.print("\"");
+ }
+ writer.print(" groups=\"");
+ for(Iterator<Group> groups=user.getGroups(); groups.hasNext(); ) {
+ Group group = groups.next();
+ writer.print(Escape.xml(group.getGroupname()));
+ if(groups.hasNext()) {
+ writer.print(',');
+ }
+ }
+ writer.print("\" roles=\"");
+ for(Iterator<Role> roles=user.getRoles(); roles.hasNext(); ) {
+ Role role = roles.next();
+ writer.print(Escape.xml(role.getRolename()));
+ if(roles.hasNext()) {
+ writer.print(',');
+ }
+ }
+ writer.print("\"/>");
}
// Print the file epilog
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 88b3cea52f..e773afde8e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -120,9 +120,13 @@
specifiers are case insensitive. (markt)
</fix>
<fix>
- Propertly-escape role and group information when writing
+ Properly-escape role and group information when writing
MemoryUserDatabase to an XML file. (schultz)
</fix>
+ <fix>
+ Move control of XML-export logic from individual support classes into
+ MemoryUserDatabase.save(). Deprecate and discontinue use of MemoryUser,
+ MemoryRole, and MemoryGroup classes. (schultz)
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/03: Propertly-escape role and group information when writing MemoryUserDatabase to an XML file.
Posted by sc...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit cb5052b28443680e2d1b144723cd306f5931df00
Author: Christopher Schultz <ch...@christopherschultz.net>
AuthorDate: Wed Aug 3 13:18:51 2022 -0400
Propertly-escape role and group information when writing MemoryUserDatabase to an XML file.
---
java/org/apache/catalina/users/MemoryGroup.java | 10 +++---
java/org/apache/catalina/users/MemoryRole.java | 6 ++--
.../catalina/users/MemoryUserDatabaseTests.java | 40 ++++++++++++++++++++++
webapps/docs/changelog.xml | 4 +++
4 files changed, 53 insertions(+), 7 deletions(-)
diff --git a/java/org/apache/catalina/users/MemoryGroup.java b/java/org/apache/catalina/users/MemoryGroup.java
index f1008ff80c..dfd02c4dcf 100644
--- a/java/org/apache/catalina/users/MemoryGroup.java
+++ b/java/org/apache/catalina/users/MemoryGroup.java
@@ -20,7 +20,7 @@ package org.apache.catalina.users;
import org.apache.catalina.Role;
import org.apache.catalina.UserDatabase;
import org.apache.tomcat.util.buf.StringUtils;
-
+import org.apache.tomcat.util.security.Escape;
/**
* <p>Concrete implementation of {@link org.apache.catalina.Group} for the
@@ -52,15 +52,17 @@ public class MemoryGroup extends GenericGroup<MemoryUserDatabase> {
@Override
public String toString() {
StringBuilder sb = new StringBuilder("<group groupname=\"");
- sb.append(groupname);
+ sb.append(Escape.xml(groupname));
sb.append("\"");
if (description != null) {
sb.append(" description=\"");
- sb.append(description);
+ sb.append(Escape.xml(description));
sb.append("\"");
}
sb.append(" roles=\"");
- StringUtils.join(roles, ',', Role::getRolename, sb);
+ StringBuilder rsb = new StringBuilder();
+ StringUtils.join(roles, ',', (x) -> Escape.xml(x.getRolename()), rsb);
+ sb.append(rsb);
sb.append("\"");
sb.append("/>");
return sb.toString();
diff --git a/java/org/apache/catalina/users/MemoryRole.java b/java/org/apache/catalina/users/MemoryRole.java
index 10f6d22548..3f0f5855c7 100644
--- a/java/org/apache/catalina/users/MemoryRole.java
+++ b/java/org/apache/catalina/users/MemoryRole.java
@@ -18,7 +18,7 @@ package org.apache.catalina.users;
import org.apache.catalina.UserDatabase;
-
+import org.apache.tomcat.util.security.Escape;
/**
* <p>Concrete implementation of {@link org.apache.catalina.Role} for the
@@ -50,11 +50,11 @@ public class MemoryRole extends GenericRole<MemoryUserDatabase> {
@Override
public String toString() {
StringBuilder sb = new StringBuilder("<role rolename=\"");
- sb.append(rolename);
+ sb.append(Escape.xml(rolename));
sb.append("\"");
if (description != null) {
sb.append(" description=\"");
- sb.append(description);
+ sb.append(Escape.xml(description));
sb.append("\"");
}
sb.append("/>");
diff --git a/test/org/apache/catalina/users/MemoryUserDatabaseTests.java b/test/org/apache/catalina/users/MemoryUserDatabaseTests.java
index 5724ac7829..fa97f93e6b 100644
--- a/test/org/apache/catalina/users/MemoryUserDatabaseTests.java
+++ b/test/org/apache/catalina/users/MemoryUserDatabaseTests.java
@@ -33,6 +33,8 @@ import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
+import org.apache.catalina.Group;
+import org.apache.catalina.Role;
import org.apache.catalina.User;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.realm.UserDatabaseRealm;
@@ -216,4 +218,42 @@ public class MemoryUserDatabaseTests {
Assert.assertEquals(expectedNames.length, j);
}
+
+ @Test
+ public void testDataEscaping() throws Exception {
+ File file = File.createTempFile("tomcat-users", ".xml");
+ file.deleteOnExit();
+
+ MemoryUserDatabase mud = new MemoryUserDatabase();
+ Role role = mud.createRole("role\"name", "descr&iption");
+ Group group = mud.createGroup("grou<p", null);
+ group.addRole(role);
+ Role role2 = mud.createRole("role2", null);
+ group.addRole(role2);
+ User user = mud.createUser("xml<breaker", "\"bobby", "tab'les");
+ user.addRole(role);
+ user.addRole(role2);
+ user.addGroup(group);
+ mud.setPathname(file.getAbsolutePath());
+ mud.setReadonly(false);
+ mud.save();
+
+ String xml;
+ try(java.io.FileReader in = new java.io.FileReader(file)) {
+ StringBuilder sb = new StringBuilder((int)file.length());
+ char[] buffer = new char[4096];
+ int c;
+ while(-1 != (c = in.read(buffer))) {
+ sb.append(buffer, 0, c);
+ }
+ xml = sb.toString();
+ }
+
+ Assert.assertTrue("Role is not properly-escaped",
+ xml.contains("<role rolename=\"role"name\" description=\"descr&iption\""));
+ Assert.assertTrue("Group is not escaped properly",
+ xml.contains("<group groupname=\"grou<p\" roles=\"role"name,role2\""));
+ Assert.assertTrue("User is not properly-escaped",
+ xml.contains("<user username=\"xml<breaker\" password=\""bobby\" fullName=\"tab'les\" groups=\"grou<p\" roles=\"role"name,role2\""));
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 53035a335c..88b3cea52f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -119,6 +119,10 @@
Implement the clarification in RFC 9110 that the units in HTTP range
specifiers are case insensitive. (markt)
</fix>
+ <fix>
+ Propertly-escape role and group information when writing
+ MemoryUserDatabase to an XML file. (schultz)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org