You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/08/23 14:38:44 UTC
DO NOT REPLY [Bug 11966] -
JDBCRealm.authenticate() does not validate pasword field
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11966>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11966
JDBCRealm.authenticate() does not validate pasword field
andrewconrad@iname.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |andrewconrad@iname.com
Status|NEW |ASSIGNED
------- Additional Comments From andrewconrad@iname.com 2002-08-23 12:38 -------
The problem is in JDBCRealm.java. The problem is that the Password String is
trimmed before testing for null. The patch is as follows
--- C:/modules/apache.org/jakarta-tomcat-
4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java 9 Jun 2002
02:19:43 -0000 1.21
+++ C:/modules/apache.org/jakarta-tomcat-
4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java 23 Aug 2002
12:35:19 -0000
@@ -444,12 +444,13 @@
PreparedStatement stmt = credentials(dbConnection, username);
ResultSet rs = stmt.executeQuery();
while (rs.next()) {
- dbCredentials = rs.getString(1).trim();
+ dbCredentials = rs.getString(1);
}
rs.close();
if (dbCredentials == null) {
return (null);
}
+ dbCredentials.trim(); //cannot trim until we test for null
// Validate the user's credentials
boolean validated = false;
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>