You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <me...@ntlworld.com> on 2003/09/04 01:13:01 UTC

[PATCH] Bug 22715

The patches below (TC5 and TC4) fix bug 22715 in that they ensure that xml 
entities are correctly written back out to the password field of 
tomcat-users.xml

I did consider a more general patch to allow xml entities in user names, group 
names and role names but wasn't sure of the potential side effects. I also 
think that users are far more likely to want to use these characters in 
passwords than in user names, group names or role names. Thoughts? If the 
general consensus is that a more general patch is required, I am happy to 
produce one.

Mark


Index: catalina/src/share/org/apache/catalina/users/MemoryUser.java
===================================================================
RCS file: 
/home/cvspublic/jakarta-tomcat-catalina/catalina/src/share/org/apache/catali  
na/users/MemoryUser.java,v
retrieving revision 1.2
diff -u -r1.2 MemoryUser.java
--- catalina/src/share/org/apache/catalina/users/MemoryUser.java	2 Sep 2003 
21:22:03 -0000	1.2
+++ catalina/src/share/org/apache/catalina/users/MemoryUser.java	3 Sep 2003 
23:01:54 -0000
@@ -70,6 +70,7 @@
 import org.apache.catalina.Group;
 import org.apache.catalina.Role;
 import org.apache.catalina.UserDatabase;
+import org.apache.catalina.util.RequestUtil;


 /**
@@ -296,7 +297,7 @@
         StringBuffer sb = new StringBuffer("<user username=\"");
         sb.append(username);
         sb.append("\" password=\"");
-        sb.append(password);
+        sb.append(RequestUtil.filter(password));
         sb.append("\"");
         if (fullName != null) {
             sb.append(" fullName=\"");



Index: catalina/src/share/org/apache/catalina/users/MemoryUser.java
===================================================================
RCS file: 
/home/cvspublic/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/us  
ers/MemoryUser.java,v
retrieving revision 1.5
diff -u -r1.5 MemoryUser.java
--- catalina/src/share/org/apache/catalina/users/MemoryUser.java	10 Feb 2002 
08:06:20 -0000	1.5
+++ catalina/src/share/org/apache/catalina/users/MemoryUser.java	3 Sep 2003 
22:45:49 -0000
@@ -68,8 +68,8 @@
 import java.util.Iterator;
 import org.apache.catalina.Group;
 import org.apache.catalina.Role;
-import org.apache.catalina.User;
 import org.apache.catalina.UserDatabase;
+import org.apache.catalina.util.RequestUtil;


 /**
@@ -296,7 +296,7 @@
         StringBuffer sb = new StringBuffer("<user username=\"");
         sb.append(username);
         sb.append("\" password=\"");
-        sb.append(password);
+        sb.append(RequestUtil.filter(password));
         sb.append("\"");
         if (fullName != null) {
             sb.append(" fullName=\"");