You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2020/02/27 09:32:44 UTC

[tomcat] branch 7.0.x updated: Ignore zero length secret

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/7.0.x by this push:
     new d1871be  Ignore zero length secret
d1871be is described below

commit d1871beb696d0354e0c94e91889cccc41b97c478
Author: remm <re...@apache.org>
AuthorDate: Thu Feb 27 10:27:20 2020 +0100

    Ignore zero length secret
    
    No doc fix needed, secretRequired was already well described.
---
 java/org/apache/coyote/ajp/AbstractAjpProcessor.java | 4 ++--
 webapps/docs/changelog.xml                           | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/coyote/ajp/AbstractAjpProcessor.java b/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
index 5be3af1..200843c 100644
--- a/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
+++ b/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
@@ -996,7 +996,7 @@ public abstract class AbstractAjpProcessor<S> extends AbstractProcessor<S> {
 
             case Constants.SC_A_SECRET:
                 requestHeaderMessage.getBytes(tmpMB);
-                if (secret != null) {
+                if (secret != null && secret.length() > 0) {
                     secretPresentInRequest = true;
                     if (!tmpMB.equals(secret)) {
                         response.setStatus(403);
@@ -1014,7 +1014,7 @@ public abstract class AbstractAjpProcessor<S> extends AbstractProcessor<S> {
         }
 
         // Check if secret was submitted if required
-        if ((secret != null) && !secretPresentInRequest) {
+        if (secret != null && secret.length() > 0 && !secretPresentInRequest) {
             response.setStatus(403);
             setErrorState(ErrorState.CLOSE_CLEAN, null);
         }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 65f5261..4f643b1 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -92,6 +92,10 @@
         Add the TLS request attributes used by IIS to the attributes that an AJP
         Connector will always accept. (markt)
       </fix>
+      <fix>
+        A zero length AJP secret will now behave as if it has not been
+        specified. (remm)
+      </fix>
     </changelog>
   </subsection>
 </section>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org