You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2014/09/27 18:33:06 UTC
[Bug 57027] New: DigesterCredentialHandlerBase and HexUtils shall
test for invalid hex characters
https://issues.apache.org/bugzilla/show_bug.cgi?id=57027
Bug ID: 57027
Summary: DigesterCredentialHandlerBase and HexUtils shall test
for invalid hex characters
Product: Tomcat 8
Version: trunk
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: knst.kolinko@gmail.com
This is for the current trunk, for code added after 8.0.14 release. Tomcat
8.0.14 is OK.
The recently added DigestCredentialHandlerBase.matchSaltIterationsEncoded()
does the following:
byte[] salt = HexUtils.fromHexString(hexSalt);
As I mentioned in "Re: r1627000" thread on dev@, the formHexString method does
not check correctness of its arguments. It shall check that
a) The string length is a multiple of 2.
b) All characters are valid hex digits.
The current code will produce bogus results is the above conditions are not
true.
The DigestCredentialHandlerBase class already has facility for reporting
invalid stored credentials, as controlled by its logInvalidStoredCredentials
field.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57027] DigesterCredentialHandlerBase and HexUtils shall test
for invalid hex characters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57027
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
OS| |All
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
This has been fixed in 8.0.x for 8.0.15 onwards.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org