Projects
openEuler:Mainline
tomcat
_service:tar_scm:CVE-2019-17563.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:CVE-2019-17563.patch of Package tomcat
From fabfa49abf917e126dbcf299fed40a1ab96d6f7a Mon Sep 17 00:00:00 2001 From: wang_yue111 <wangyue92@huawei.com> Date: Fri, 15 May 2020 17:17:57 +0800 Subject: [PATCH] 2 --- .../authenticator/AuthenticatorBase.java | 7 ++-- .../catalina/authenticator/Constants.java | 3 ++ .../authenticator/FormAuthenticator.java | 36 +++++-------------- 3 files changed, 16 insertions(+), 30 deletions(-) diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java index 880ebde..47d562b 100644 --- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java +++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java @@ -1021,10 +1021,11 @@ public abstract class AuthenticatorBase extends ValveBase } // Cache the authentication information in our session, if any - if (cache) { - if (session != null) { + if (session != null) { + if (cache) { session.setAuthType(authType); session.setPrincipal(principal); + } else { if (username != null) { session.setNote(Constants.SESS_USERNAME_NOTE, username); } else { diff --git a/java/org/apache/catalina/authenticator/Constants.java b/java/org/apache/catalina/authenticator/Constants.java index 452a4f0..c9580d6 100644 --- a/java/org/apache/catalina/authenticator/Constants.java +++ b/java/org/apache/catalina/authenticator/Constants.java @@ -93,7 +93,10 @@ public class Constants { /** * The previously authenticated principal (if caching is disabled). + * + * @deprecated Unused. Will be removed in Tomcat 10. */ + @Deprecated public static final String FORM_PRINCIPAL_NOTE = "org.apache.catalina.authenticator.PRINCIPAL"; diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index 1b54ddd..44c783e 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -133,10 +133,6 @@ public class FormAuthenticator protected boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException { - if (checkForCachedAuthentication(request, response, true)) { - return true; - } - // References to objects we will need later Session session = null; Principal principal = null; @@ -158,11 +154,8 @@ public class FormAuthenticator principal = context.getRealm().authenticate(username, password); if (principal != null) { - session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); + register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password); if (!matchRequest(request)) { - register(request, response, principal, - HttpServletRequest.FORM_AUTH, - username, password); return true; } } @@ -181,17 +174,6 @@ public class FormAuthenticator + session.getIdInternal() + "'"); } - principal = (Principal) - session.getNote(Constants.FORM_PRINCIPAL_NOTE); - register(request, response, principal, HttpServletRequest.FORM_AUTH, - (String) session.getNote(Constants.SESS_USERNAME_NOTE), - (String) session.getNote(Constants.SESS_PASSWORD_NOTE)); - // If we're caching principals we no longer need the username - // and password in the session, so remove them - if (cache) { - session.removeNote(Constants.SESS_USERNAME_NOTE); - session.removeNote(Constants.SESS_PASSWORD_NOTE); - } if (restoreRequest(request, session)) { if (log.isDebugEnabled()) { log.debug("Proceed to restored request"); @@ -206,6 +188,12 @@ public class FormAuthenticator } } + // This check has to be after the previous check for a matching request + // because that matching request may also include a cached Principal. + if (checkForCachedAuthentication(request, response, true)) { + return true; + } + // Acquire references to objects we will need to evaluate String contextPath = request.getContextPath(); String requestURI = request.getDecodedRequestURI(); @@ -297,12 +285,7 @@ public class FormAuthenticator return false; } - // Save the authenticated Principal in our session - session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); - - // Save the username and password as well - session.setNote(Constants.SESS_USERNAME_NOTE, username); - session.setNote(Constants.SESS_PASSWORD_NOTE, password); + register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password); // Redirect the user to the original request URI (which will cause // the original request to be restored) @@ -510,7 +493,7 @@ public class FormAuthenticator } // Is there a saved principal? - if (session.getNote(Constants.FORM_PRINCIPAL_NOTE) == null) { + if (cache && session.getPrincipal() == null || !cache && request.getPrincipal() == null) { return false; } @@ -541,7 +524,6 @@ public class FormAuthenticator SavedRequest saved = (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE); session.removeNote(Constants.FORM_REQUEST_NOTE); - session.removeNote(Constants.FORM_PRINCIPAL_NOTE); if (saved == null) { return false; } -- 2.23.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2