You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by rh...@apache.org on 2022/11/26 21:43:04 UTC
svn commit: r1905550 - in /db/derby/code/trunk: build.xml java/org.apache.derby.engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java tools/release/notices/tomcat.txt
Author: rhillegas
Date: Sat Nov 26 21:43:03 2022
New Revision: 1905550
URL: http://svn.apache.org/viewvc?rev=1905550&view=rev
Log:
DERBY-7147: Fix an LDAP injection bug; commit derby-7147-02-ab-escapeLDAPsearchFilter.diff.
Added:
db/derby/code/trunk/tools/release/notices/tomcat.txt (with props)
Modified:
db/derby/code/trunk/build.xml
db/derby/code/trunk/java/org.apache.derby.engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
Modified: db/derby/code/trunk/build.xml
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/build.xml?rev=1905550&r1=1905549&r2=1905550&view=diff
==============================================================================
--- db/derby/code/trunk/build.xml (original)
+++ db/derby/code/trunk/build.xml Sat Nov 26 21:43:03 2022
@@ -2668,6 +2668,7 @@
<antcall target="appendnotice"><param name="sourcefile" value="felix.txt"/></antcall>
<antcall target="appendnotice"><param name="sourcefile" value="lucene.txt"/></antcall>
<antcall target="appendnotice"><param name="sourcefile" value="simpleJson.txt"/></antcall>
+ <antcall target="appendnotice"><param name="sourcefile" value="tomcat.txt"/></antcall>
<antcall target="checkinfile">
<param name="checkinComment" value="Check in NOTICE as part of building a release."/>
Modified: db/derby/code/trunk/java/org.apache.derby.engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/org.apache.derby.engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java?rev=1905550&r1=1905549&r2=1905550&view=diff
==============================================================================
--- db/derby/code/trunk/java/org.apache.derby.engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java (original)
+++ db/derby/code/trunk/java/org.apache.derby.engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java Sat Nov 26 21:43:03 2022
@@ -184,7 +184,53 @@ public final class LDAPAuthenticationSch
throw getLoginSQLException(e);
}
-
+ /**
+ * Given an LDAP search string, returns the string with certain characters
+ * escaped according to RFC 2254 guidelines. Cribbed from org.apache.catalina.realm.JNDIRealm.
+ *
+ * The character mapping is as follows:
+ * char -> Replacement
+ * ---------------------------
+ * * -> \2a
+ * ( -> \28
+ * ) -> \29
+ * \ -> \5c
+ * \0 -> \00
+ *
+ * @param inString string to escape according to RFC 2254 guidelines
+ *
+ * @return String the escaped/encoded result
+ */
+ protected String doFilterEscaping(String inString) {
+ if (inString == null) {
+ return null;
+ }
+ StringBuilder buf = new StringBuilder(inString.length());
+ for (int i = 0; i < inString.length(); i++) {
+ char c = inString.charAt(i);
+ switch (c) {
+ case '\\':
+ buf.append("\\5c");
+ break;
+ case '*':
+ buf.append("\\2a");
+ break;
+ case '(':
+ buf.append("\\28");
+ break;
+ case ')':
+ buf.append("\\29");
+ break;
+ case '\0':
+ buf.append("\\00");
+ break;
+ default:
+ buf.append(c);
+ break;
+ }
+ }
+ return buf.toString();
+ }
/**
* Call new InitialDirContext in a privilege block
@@ -391,6 +437,10 @@ public final class LDAPAuthenticationSch
**/
private String getDNFromUID(String uid)
throws javax.naming.NamingException {
+
+ // Escape the uid as a defense against LDAP injection. See DERBY-7147.
+ uid = doFilterEscaping(uid);
+
//
// We bind to the LDAP server here
// Note that this bind might be anonymous (if anonymous searches
@@ -418,6 +468,7 @@ public final class LDAPAuthenticationSch
String searchFilter =
this.leftSearchFilter + uid + this.rightSearchFilter;
+
NamingEnumeration results =
ctx.search(searchBaseDN, searchFilter, ctls);
Added: db/derby/code/trunk/tools/release/notices/tomcat.txt
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/tools/release/notices/tomcat.txt?rev=1905550&view=auto
==============================================================================
--- db/derby/code/trunk/tools/release/notices/tomcat.txt (added)
+++ db/derby/code/trunk/tools/release/notices/tomcat.txt Sat Nov 26 21:43:03 2022
@@ -0,0 +1,72 @@
+Derby uses the org.apache.catalina.realm.JNDIRealm.doFilterEscaping()
+routine from the Apache Tomcat project. The following notice covers
+the Tomcat sources:
+
+Apache Tomcat
+Copyright 1999-2022 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (https://www.apache.org/).
+
+This software contains code derived from netty-native
+developed by the Netty project
+(https://netty.io, https://github.com/netty/netty-tcnative/)
+and from finagle-native developed at Twitter
+(https://github.com/twitter/finagle).
+
+This software contains code derived from jgroups-kubernetes
+developed by the JGroups project (http://www.jgroups.org/).
+
+The Windows Installer is built with the Nullsoft
+Scriptable Install System (NSIS), which is
+open source software. The original software and
+related information is available at
+http://nsis.sourceforge.net.
+
+Java compilation software for JSP pages is provided by the Eclipse
+JDT Core Batch Compiler component, which is open source software.
+The original software and related information is available at
+https://www.eclipse.org/jdt/core/.
+
+org.apache.tomcat.util.json.JSONParser.jj is a public domain javacc grammar
+for JSON written by Robert Fischer.
+https://github.com/RobertFischer/json-parser
+
+For portions of the Tomcat JNI OpenSSL API and the OpenSSL JSSE integration
+The org.apache.tomcat.jni and the org.apache.tomcat.net.openssl packages
+are derivative work originating from the Netty project and the finagle-native
+project developed at Twitter
+* Copyright 2014 The Netty Project
+* Copyright 2014 Twitter
+
+For portions of the Tomcat cloud support
+The org.apache.catalina.tribes.membership.cloud package contains derivative
+work originating from the jgroups project.
+https://github.com/jgroups-extras/jgroups-kubernetes
+Copyright 2002-2018 Red Hat Inc.
+
+The original XML Schemas for Java EE Deployment Descriptors:
+ - javaee_5.xsd
+ - javaee_web_services_1_2.xsd
+ - javaee_web_services_client_1_2.xsd
+ - javaee_6.xsd
+ - javaee_web_services_1_3.xsd
+ - javaee_web_services_client_1_3.xsd
+ - jsp_2_2.xsd
+ - web-app_3_0.xsd
+ - web-common_3_0.xsd
+ - web-fragment_3_0.xsd
+ - javaee_7.xsd
+ - javaee_web_services_1_4.xsd
+ - javaee_web_services_client_1_4.xsd
+ - jsp_2_3.xsd
+ - web-app_3_1.xsd
+ - web-common_3_1.xsd
+ - web-fragment_3_1.xsd
+ - javaee_8.xsd
+ - web-app_4_0.xsd
+ - web-common_4_0.xsd
+ - web-fragment_4_0.xsd
+
+may be obtained from:
+http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/index.html
Propchange: db/derby/code/trunk/tools/release/notices/tomcat.txt
------------------------------------------------------------------------------
svn:eol-style = native