You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2002/06/11 17:32:28 UTC
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JNDIRealm.java
remm 2002/06/11 08:32:28
Modified: catalina/src/share/org/apache/catalina/realm JNDIRealm.java
Log:
- Fix a security problem with the JNDI realm, where blank passwords could be
used to authenticate.
- As a result, blank passwords are not allowed with the JNDI realm anymore.
- Bugzilla 9700.
- The fix will be in 4.1.5.
- Patch submitted by <jemiller at uchicago.edu>
and John Holman <mailto:j.g.holman at qmul.ac.uk>
Revision Changes Path
1.8 +6 -5 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java
Index: JNDIRealm.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- JNDIRealm.java 9 Jun 2002 02:19:43 -0000 1.7
+++ JNDIRealm.java 11 Jun 2002 15:32:28 -0000 1.8
@@ -716,7 +716,8 @@
String credentials)
throws NamingException {
- if (username == null || credentials == null)
+ if (username == null || username.equals("")
+ || credentials == null || credentials.equals(""))
return (null);
// Retrieve user information
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JNDIRealm.java
Posted by Jonathan Eric Miller <je...@uchicago.edu>.
I thought about that too, I'm pretty sure that the strings get trimmed
elsewhere in the code. I tested it with usernames and passwords that
contained nothing but spaces and they were trimmed.
Jon
----- Original Message -----
From: "Arshad Mahmood" <ar...@compuvision.co.uk>
To: "Tomcat Developers List" <to...@jakarta.apache.org>
Sent: Tuesday, June 11, 2002 10:51 AM
Subject: Re: cvs commit:
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm
JNDIRealm.java
> I don't anything about this fix, but shouldn't you include a trim() before
> checking for a blank username/credential also?
>
> Regards.
> ----- Original Message -----
> From: <re...@apache.org>
> To: <ja...@apache.org>
> Sent: Tuesday, June 11, 2002 4:32 PM
> Subject: cvs commit:
> jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm
> JNDIRealm.java
>
>
> > remm 2002/06/11 08:32:28
> >
> > Modified: catalina/src/share/org/apache/catalina/realm
JNDIRealm.java
> > Log:
> > - Fix a security problem with the JNDI realm, where blank passwords
> could be
> > used to authenticate.
> > - As a result, blank passwords are not allowed with the JNDI realm
> anymore.
> > - Bugzilla 9700.
> > - The fix will be in 4.1.5.
> > - Patch submitted by <jemiller at uchicago.edu>
> > and John Holman <mailto:j.g.holman at qmul.ac.uk>
> >
> > Revision Changes Path
> > 1.8 +6 -5
>
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.ja
> va
> >
> > Index: JNDIRealm.java
> > ===================================================================
> > RCS file:
>
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JN
> DIRealm.java,v
> > retrieving revision 1.7
> > retrieving revision 1.8
> > diff -u -r1.7 -r1.8
> > --- JNDIRealm.java 9 Jun 2002 02:19:43 -0000 1.7
> > +++ JNDIRealm.java 11 Jun 2002 15:32:28 -0000 1.8
> > @@ -716,7 +716,8 @@
> > String credentials)
> > throws NamingException {
> >
> > - if (username == null || credentials == null)
> > + if (username == null || username.equals("")
> > + || credentials == null || credentials.equals(""))
> > return (null);
> >
> > // Retrieve user information
> >
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JNDIRealm.java
Posted by Arshad Mahmood <ar...@compuvision.co.uk>.
I don't anything about this fix, but shouldn't you include a trim() before
checking for a blank username/credential also?
Regards.
----- Original Message -----
From: <re...@apache.org>
To: <ja...@apache.org>
Sent: Tuesday, June 11, 2002 4:32 PM
Subject: cvs commit:
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm
JNDIRealm.java
> remm 2002/06/11 08:32:28
>
> Modified: catalina/src/share/org/apache/catalina/realm JNDIRealm.java
> Log:
> - Fix a security problem with the JNDI realm, where blank passwords
could be
> used to authenticate.
> - As a result, blank passwords are not allowed with the JNDI realm
anymore.
> - Bugzilla 9700.
> - The fix will be in 4.1.5.
> - Patch submitted by <jemiller at uchicago.edu>
> and John Holman <mailto:j.g.holman at qmul.ac.uk>
>
> Revision Changes Path
> 1.8 +6 -5
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.ja
va
>
> Index: JNDIRealm.java
> ===================================================================
> RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JN
DIRealm.java,v
> retrieving revision 1.7
> retrieving revision 1.8
> diff -u -r1.7 -r1.8
> --- JNDIRealm.java 9 Jun 2002 02:19:43 -0000 1.7
> +++ JNDIRealm.java 11 Jun 2002 15:32:28 -0000 1.8
> @@ -716,7 +716,8 @@
> String credentials)
> throws NamingException {
>
> - if (username == null || credentials == null)
> + if (username == null || username.equals("")
> + || credentials == null || credentials.equals(""))
> return (null);
>
> // Retrieve user information
>
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>