Projects
Mega:24.03:SP1:Everything
tomcat
_service:tar_scm:CVE-2021-30640-5.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:CVE-2021-30640-5.patch of Package tomcat
From a13034d94c927286a7f4e17ab4f662727fbe6e9f Mon Sep 17 00:00:00 2001 From: Mark Thomas <markt@apache.org> Date: Tue, 13 Apr 2021 12:20:06 +0100 Subject: [PATCH] Expand tests and fix escaping issue in userRoleAttribute filter --- java/org/apache/catalina/realm/JNDIRealm.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 1021ce8..a3b6f86 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1947,11 +1947,13 @@ System.out.println("userRoleName " + userRoleName + " " + attrs.get(userRoleName if ((connection.roleFormat == null) || (roleName == null)) return list; - // Set up parameters for an appropriate search + // Set up parameters for an appropriate search filter + // The dn is already attribute value escaped but the others are not + // This is a filter so all input will require filter escaping String filter = connection.roleFormat.format(new String[] { doFilterEscaping(dn), doFilterEscaping(doAttributeValueEscaping(username)), - userRoleId }); + doFilterEscaping(doAttributeValueEscaping(userRoleId)) }); SearchControls controls = new SearchControls(); if (roleSubtree) controls.setSearchScope(SearchControls.SUBTREE_SCOPE); -- 2.23.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2