Projects
Mega:23.09
tomcat
_service:tar_scm:CVE-2021-30640-pre5.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:CVE-2021-30640-pre5.patch of Package tomcat
From 4bee1e769bce86cd53ce80eb18c15449ea0df34b Mon Sep 17 00:00:00 2001 From: Mark Thomas <markt@apache.org> Date: Wed, 23 Jan 2019 15:11:07 +0000 Subject: [PATCH] Add a new attribute, forceDnHexEscape, to the JNDIRealm that forces escaping in the String representation of a distinguished name to use the \nn form. This may avoid issues with realms using Active Directory which appears to be more tolerant of optional escaping when the \nn form is used. git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc8.5.x/trunk@1851941 13f79535-47bb-0310-9956-ffa450edef68 --- java/org/apache/catalina/realm/JNDIRealm.java | 95 ++++++++++++++++++- .../TestJNDIRealmConvertToHexEscape.java | 70 ++++++++++++++ webapps/docs/changelog.xml | 8 ++ webapps/docs/config/realm.xml | 9 ++ 4 files changed, 181 insertions(+), 1 deletion(-) create mode 100644 test/org/apache/catalina/realm/TestJNDIRealmConvertToHexEscape.java diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 5714496..19fa704 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -487,8 +487,19 @@ public class JNDIRealm extends RealmBase { protected int connectionPoolSize = 1; + private boolean forceDnHexEscape = false; + + // ------------------------------------------------------------- Properties + public boolean getForceDnHexEscape() { + return forceDnHexEscape; + } + + public void setForceDnHexEscape(boolean forceDnHexEscape) { + this.forceDnHexEscape = forceDnHexEscape; + } + /** * @return the type of authentication to use. */ @@ -2799,7 +2810,89 @@ System.out.println("userRoleName " + userRoleName + " " + attrs.get(userRoleName resultName ); } } - return name.toString(); + + if (getForceDnHexEscape()) { + // Bug 63026 + return convertToHexEscape(name.toString()); + } else { + return name.toString(); + } + } + + + protected static String convertToHexEscape(String input) { + if (input.indexOf('\\') == -1) { + // No escaping present. Return original. + return input; + } + + // +6 allows for 3 escaped characters by default + StringBuilder result = new StringBuilder(input.length() + 6); + boolean previousSlash = false; + for (int i = 0; i < input.length(); i++) { + char c = input.charAt(i); + + if (previousSlash) { + switch (c) { + case ' ': { + result.append("\\20"); + break; + } + case '\"': { + result.append("\\22"); + break; + } + case '#': { + result.append("\\23"); + break; + } + case '+': { + result.append("\\2B"); + break; + } + case ',': { + result.append("\\2C"); + break; + } + case ';': { + result.append("\\3B"); + break; + } + case '<': { + result.append("\\3C"); + break; + } + case '=': { + result.append("\\3D"); + break; + } + case '>': { + result.append("\\3E"); + break; + } + case '\\': { + result.append("\\5C"); + break; + } + default: + result.append('\\'); + result.append(c); + } + previousSlash = false; + } else { + if (c == '\\') { + previousSlash = true; + } else { + result.append(c); + } + } + } + + if (previousSlash) { + result.append('\\'); + } + + return result.toString(); } diff --git a/test/org/apache/catalina/realm/TestJNDIRealmConvertToHexEscape.java b/test/org/apache/catalina/realm/TestJNDIRealmConvertToHexEscape.java new file mode 100644 index 0000000..8c610a3 --- /dev/null +++ b/test/org/apache/catalina/realm/TestJNDIRealmConvertToHexEscape.java @@ -0,0 +1,70 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina.realm; + +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; + +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameter; + +@RunWith(Parameterized.class) +public class TestJNDIRealmConvertToHexEscape { + + @Parameterized.Parameters(name = "{index}: in[{0}], out[{1}]") + public static Collection<Object[]> parameters() { + List<Object[]> parameterSets = new ArrayList<>(); + + parameterSets.add(new String[] { "none", "none" }); + parameterSets.add(new String[] { "\\", "\\" }); + parameterSets.add(new String[] { "\\\\", "\\5C" }); + parameterSets.add(new String[] { "\\5C", "\\5C" }); + parameterSets.add(new String[] { "\\ ", "\\20" }); + parameterSets.add(new String[] { "\\20", "\\20" }); + parameterSets.add(new String[] { "\\ foo", "\\20foo" }); + parameterSets.add(new String[] { "\\20foo", "\\20foo" }); + parameterSets.add(new String[] { "\\ foo", "\\20 foo" }); + parameterSets.add(new String[] { "\\20 foo", "\\20 foo" }); + parameterSets.add(new String[] { "\\ \\ foo", "\\20\\20foo" }); + parameterSets.add(new String[] { "\\20\\20foo", "\\20\\20foo" }); + parameterSets.add(new String[] { "foo\\ ", "foo\\20" }); + parameterSets.add(new String[] { "foo\\20", "foo\\20" }); + parameterSets.add(new String[] { "foo \\ ", "foo \\20" }); + parameterSets.add(new String[] { "foo \\20", "foo \\20" }); + parameterSets.add(new String[] { "foo\\ \\ ", "foo\\20\\20" }); + parameterSets.add(new String[] { "foo\\20\\20", "foo\\20\\20" }); + + return parameterSets; + } + + + @Parameter(0) + public String in; + @Parameter(1) + public String out; + + + @Test + public void testConvertToHexEscape() throws Exception { + String result = JNDIRealm.convertToHexEscape(in); + Assert.assertEquals(out, result); + } +} diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 173c209..a7bb52c 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -794,6 +794,14 @@ a plain text response. Based on a suggestion from Muthukumar Marikani. (markt) </add> + <add> + <bug>63026</bug>: Add a new attribute, <code>forceDnHexEscape</code>, to + the <code>JNDIRealm</code> that forces escaping in the String + representation of a distinguished name to use the <code>\nn</code> form. + This may avoid issues with realms using Active Directory which appears + to be more tolerant of optional escaping when the <code>\nn</code> form + is used. (markt) + </add> </changelog> </subsection> </section> diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml index a4bc5ef..715ceb7 100644 --- a/webapps/docs/config/realm.xml +++ b/webapps/docs/config/realm.xml @@ -463,6 +463,15 @@ "finding" and "searching". If not specified, "always" is used.</p> </attribute> + <attribute name="forceDnHexEscape" required="false"> + <p>A setting of <code>true</code> forces escaping in the String + representation of a distinguished name to use the <code>\nn</code> form. + This may avoid issues with realms using Active Directory which appears + to be more tolerant of optional escaping when the <code>\nn</code> form + is used. If not specified, the default of <code>false</code> will be + used.</p> + </attribute> + <attribute name="hostnameVerifierClassName" required="false"> <p>The name of the class to use for hostname verification when using StartTLS for securing the connection to the ldap server. -- 2.23.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2