You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/08/30 22:55:29 UTC
svn commit: r1758499 - in /tomcat/trunk: java/org/apache/catalina/realm/
webapps/docs/
Author: markt
Date: Tue Aug 30 22:55:29 2016
New Revision: 1758499
URL: http://svn.apache.org/viewvc?rev=1758499&view=rev
Log:
Make timing attacks against the Realm implementations harder. (schultz)
Modified:
tomcat/trunk/java/org/apache/catalina/realm/DataSourceRealm.java
tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java
tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java
tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/realm/DataSourceRealm.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/DataSourceRealm.java?rev=1758499&r1=1758498&r2=1758499&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/DataSourceRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/DataSourceRealm.java Tue Aug 30 22:55:29 2016
@@ -303,6 +303,8 @@ public class DataSourceRealm extends Rea
if(dbCredentials == null) {
// User was not found in the database.
+ // Waste a bit of time as not to reveal that the user does not exist.
+ getCredentialHandler().mutate(credentials);
if (containerLog.isTraceEnabled())
containerLog.trace(sm.getString("dataSourceRealm.authenticateFailure",
Modified: tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1758499&r1=1758498&r2=1758499&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java Tue Aug 30 22:55:29 2016
@@ -384,6 +384,8 @@ public class JDBCRealm
if (dbCredentials == null) {
// User was not found in the database.
+ // Waste a bit of time as not to reveal that the user does not exist.
+ getCredentialHandler().mutate(credentials);
if (containerLog.isTraceEnabled())
containerLog.trace(sm.getString("jdbcRealm.authenticateFailure",
Modified: tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java?rev=1758499&r1=1758498&r2=1758499&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java Tue Aug 30 22:55:29 2016
@@ -125,7 +125,9 @@ public class MemoryRealm extends RealmB
GenericPrincipal principal = principals.get(username);
if(principal == null || principal.getPassword() == null) {
- // User was not found in the database of the password was null
+ // User was not found in the database or the password was null
+ // Waste a bit of time as not to reveal that the user does not exist.
+ getCredentialHandler().mutate(credentials);
if (log.isDebugEnabled())
log.debug(sm.getString("memoryRealm.authenticateFailure", username));
Modified: tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java?rev=1758499&r1=1758498&r2=1758499&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java Tue Aug 30 22:55:29 2016
@@ -344,6 +344,8 @@ public abstract class RealmBase extends
if (serverCredentials == null) {
// User was not found
+ // Waste a bit of time as not to reveal that the user does not exist.
+ getCredentialHandler().mutate(credentials);
if (containerLog.isTraceEnabled()) {
containerLog.trace(sm.getString("realmBase.authenticateFailure",
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1758499&r1=1758498&r2=1758499&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Aug 30 22:55:29 2016
@@ -183,6 +183,9 @@
of the web.xml file where specified or UTF-8 where no explicit encoding
is specified. (markt)
</fix>
+ <fix>
+ Make timing attacks against the Realm implementations harder. (schultz)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org