~ubuntu-branches/ubuntu/maverick/tomcat6/maverick

« back to all changes in this revision

Viewing changes to .pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina/authenticator/BasicAuthenticator.java

Committer: Bazaar Package Importer
Author(s): Torsten Werner
Date: 2010-06-28 21:41:31 UTC
mfrom: (2.2.15 sid)
Revision ID: james.westby@ubuntu.com-20100628214131-3wktukpb3lgdf83h

Tags: 6.0.26-5

http://bugs.debian.org/587447

* Convert patches to dep3 format.
* Backport security fix from trunk to fix CVE-2010-1157. (Closes: #587447)
* Set urgency to medium due to the security fix.

files added:
.pc/0001-set-UTF-8-as-default-character-encoding.patch

.pc/0001-set-UTF-8-as-default-character-encoding.patch/conf

.pc/0001-set-UTF-8-as-default-character-encoding.patch/conf/server.xml

.pc/0002-do-not-load-AJP13-connector-by-default.patch

.pc/0002-do-not-load-AJP13-connector-by-default.patch/conf

.pc/0002-do-not-load-AJP13-connector-by-default.patch/conf/server.xml

.pc/0003-disable-APR-library-loading.patch

.pc/0003-disable-APR-library-loading.patch/conf

.pc/0003-disable-APR-library-loading.patch/conf/server.xml

.pc/0004-split-deploy-webapps-target-from-deploy-target.patch

.pc/0004-split-deploy-webapps-target-from-deploy-target.patch/build.xml

.pc/0005-change-default-DBCP-factory-class.patch

.pc/0005-change-default-DBCP-factory-class.patch/java

.pc/0005-change-default-DBCP-factory-class.patch/java/org

.pc/0005-change-default-DBCP-factory-class.patch/java/org/apache

.pc/0005-change-default-DBCP-factory-class.patch/java/org/apache/naming

.pc/0005-change-default-DBCP-factory-class.patch/java/org/apache/naming/factory

.pc/0005-change-default-DBCP-factory-class.patch/java/org/apache/naming/factory/Constants.java

.pc/0005-change-default-DBCP-factory-class.patch/webapps

.pc/0005-change-default-DBCP-factory-class.patch/webapps/docs

.pc/0005-change-default-DBCP-factory-class.patch/webapps/docs/jndi-resources-howto.xml

.pc/0006-add-JARs-below-var-to-class-loader.patch

.pc/0006-add-JARs-below-var-to-class-loader.patch/conf

.pc/0006-add-JARs-below-var-to-class-loader.patch/conf/catalina.properties

.pc/0007-add-OSGi-headers-to-servlet-api.patch

.pc/0007-add-OSGi-headers-to-servlet-api.patch/res

.pc/0007-add-OSGi-headers-to-servlet-api.patch/res/META-INF

.pc/0007-add-OSGi-headers-to-servlet-api.patch/res/META-INF/servlet-api.jar.manifest

.pc/0008-add-OSGI-headers-to-jsp-api.patch

.pc/0008-add-OSGI-headers-to-jsp-api.patch/res

.pc/0008-add-OSGI-headers-to-jsp-api.patch/res/META-INF

.pc/0008-add-OSGI-headers-to-jsp-api.patch/res/META-INF/jsp-api.jar.manifest

.pc/0009-allow-empty-PID-file.patch

.pc/0009-allow-empty-PID-file.patch/bin

.pc/0009-allow-empty-PID-file.patch/bin/catalina.sh

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/catalina

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/catalina/loader

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/catalina/loader/ResourceEntry.java

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/catalina/loader/WebappClassLoader.java

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/jasper

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/jasper/servlet

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/jasper/servlet/JasperLoader.java

.pc/0011-Use-java.security.policy-file-in-catalina.sh.patch

.pc/0011-Use-java.security.policy-file-in-catalina.sh.patch/bin

.pc/0011-Use-java.security.policy-file-in-catalina.sh.patch/bin/catalina.sh

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina/authenticator

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina/authenticator/AuthenticatorBase.java

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina/authenticator/BasicAuthenticator.java

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina/authenticator/DigestAuthenticator.java

debian/patches/0001-set-UTF-8-as-default-character-encoding.patch

debian/patches/0002-do-not-load-AJP13-connector-by-default.patch

debian/patches/0003-disable-APR-library-loading.patch

debian/patches/0004-split-deploy-webapps-target-from-deploy-target.patch

debian/patches/0005-change-default-DBCP-factory-class.patch

debian/patches/0006-add-JARs-below-var-to-class-loader.patch

debian/patches/0007-add-OSGi-headers-to-servlet-api.patch

debian/patches/0008-add-OSGI-headers-to-jsp-api.patch

debian/patches/0009-allow-empty-PID-file.patch

debian/patches/0010-avoid-deadlock-in-WebappClassLoader.patch

debian/patches/0011-Use-java.security.policy-file-in-catalina.sh.patch

debian/patches/0012-Prevent-disclosure-of-host-name-or-IP-address.patch

files removed:
.pc/allow-empty-pid-file.patch

.pc/allow-empty-pid-file.patch/bin

.pc/allow-empty-pid-file.patch/bin/catalina.sh

.pc/default-encoding-utf8.patch

.pc/default-encoding-utf8.patch/conf

.pc/default-encoding-utf8.patch/conf/server.xml

.pc/deploy-webapps-build-xml.patch

.pc/deploy-webapps-build-xml.patch/build.xml

.pc/disable-ajp-connector.patch

.pc/disable-ajp-connector.patch/conf

.pc/disable-ajp-connector.patch/conf/server.xml

.pc/disable-apr-loading.patch

.pc/disable-apr-loading.patch/conf

.pc/disable-apr-loading.patch/conf/server.xml

.pc/jsp-api-OSGi.patch

.pc/jsp-api-OSGi.patch/res

.pc/jsp-api-OSGi.patch/res/META-INF

.pc/jsp-api-OSGi.patch/res/META-INF/jsp-api.jar.manifest

.pc/servlet-api-OSGi.patch

.pc/servlet-api-OSGi.patch/res

.pc/servlet-api-OSGi.patch/res/META-INF

.pc/servlet-api-OSGi.patch/res/META-INF/servlet-api.jar.manifest

.pc/use-commons-dbcp.patch

.pc/use-commons-dbcp.patch/java

.pc/use-commons-dbcp.patch/java/org

.pc/use-commons-dbcp.patch/java/org/apache

.pc/use-commons-dbcp.patch/java/org/apache/naming

.pc/use-commons-dbcp.patch/java/org/apache/naming/factory

.pc/use-commons-dbcp.patch/java/org/apache/naming/factory/Constants.java

.pc/use-commons-dbcp.patch/webapps

.pc/use-commons-dbcp.patch/webapps/docs

.pc/use-commons-dbcp.patch/webapps/docs/jndi-resources-howto.xml

.pc/var_loaders.patch

.pc/var_loaders.patch/conf

.pc/var_loaders.patch/conf/catalina.properties

.pc/webapp-classloader-deadlock-fix.patch

.pc/webapp-classloader-deadlock-fix.patch/java

.pc/webapp-classloader-deadlock-fix.patch/java/org

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/catalina

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/catalina/loader

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/catalina/loader/ResourceEntry.java

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/catalina/loader/WebappClassLoader.java

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/jasper

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/jasper/servlet

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/jasper/servlet/JasperLoader.java

debian/patches/allow-empty-pid-file.patch

debian/patches/default-encoding-utf8.patch

debian/patches/deploy-webapps-build-xml.patch

debian/patches/disable-ajp-connector.patch

debian/patches/disable-apr-loading.patch

debian/patches/jsp-api-OSGi.patch

debian/patches/servlet-api-OSGi.patch

debian/patches/use-commons-dbcp.patch

debian/patches/var_loaders.patch

debian/patches/webapp-classloader-deadlock-fix.patch

files modified:
.pc/applied-patches

bin/catalina.sh

debian/changelog

debian/control

debian/patches/series

debian/tomcat6.init

debian/tomcat6.postinst

java/org/apache/catalina/authenticator/AuthenticatorBase.java

java/org/apache/catalina/authenticator/BasicAuthenticator.java

java/org/apache/catalina/authenticator/DigestAuthenticator.java

Show diffs side-by-side

added added

removed removed

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina/authenticator/BasicAuthenticator.java

* Licensed to the Apache Software Foundation (ASF) under one or more

* contributor license agreements. See the NOTICE file distributed with

* this work for additional information regarding copyright ownership.

* The ASF licenses this file to You under the Apache License, Version 2.0

* (the "License"); you may not use this file except in compliance with

* the License. You may obtain a copy of the License at

* http://www.apache.org/licenses/LICENSE-2.0

* Unless required by applicable law or agreed to in writing, software

* distributed under the License is distributed on an "AS IS" BASIS,

* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

* See the License for the specific language governing permissions and

* limitations under the License.

package org.apache.catalina.authenticator;

import java.io.IOException;

import java.security.Principal;

import javax.servlet.http.HttpServletResponse;

import org.apache.catalina.connector.Request;

import org.apache.catalina.connector.Response;

import org.apache.catalina.deploy.LoginConfig;

import org.apache.catalina.util.Base64;

import org.apache.juli.logging.Log;

import org.apache.juli.logging.LogFactory;

import org.apache.tomcat.util.buf.ByteChunk;

import org.apache.tomcat.util.buf.CharChunk;

import org.apache.tomcat.util.buf.MessageBytes;

/**

* An <b>Authenticator</b> and <b>Valve</b> implementation of HTTP BASIC

* Authentication, as outlined in RFC 2617: "HTTP Authentication: Basic

* and Digest Access Authentication."

* @author Craig R. McClanahan

* @version $Revision: 467222 $ $Date: 2006-10-24 05:17:11 +0200 (Di, 24. Okt 2006) $

public class BasicAuthenticator

extends AuthenticatorBase {

private static Log log = LogFactory.getLog(BasicAuthenticator.class);

/**

* Authenticate bytes.

public static final byte[] AUTHENTICATE_BYTES = {

(byte) 'W',

(byte) '-',

(byte) 'A',

(byte) 'u',

(byte) 't',

(byte) 'h',

(byte) 'e',

(byte) 'n',

(byte) 't',

(byte) 'i',

(byte) 'c',

(byte) 'a',

(byte) 't',

(byte) 'e'

};

// ----------------------------------------------------- Instance Variables

/**

* Descriptive information about this implementation.

protected static final String info =

"org.apache.catalina.authenticator.BasicAuthenticator/1.0";

// ------------------------------------------------------------- Properties

/**

* Return descriptive information about this Valve implementation.

public String getInfo() {

return (info);

}

100

// --------------------------------------------------------- Public Methods

101

102

103

/**

104

* Authenticate the user making this request, based on the specified

105

* login configuration. Return <code>true</code> if any specified

106

* constraint has been satisfied, or <code>false</code> if we have

107

* created a response challenge already.

108

109

* @param request Request we are processing

110

* @param response Response we are creating

111

* @param config Login configuration describing how authentication

112

* should be performed

113

114

* @exception IOException if an input/output error occurs

115

116

public boolean authenticate(Request request,

117

Response response,

118

LoginConfig config)

119

throws IOException {

120

121

// Have we already authenticated someone?

122

Principal principal = request.getUserPrincipal();

123

String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);

124

if (principal != null) {

125

if (log.isDebugEnabled())

126

log.debug("Already authenticated '" + principal.getName() + "'");

127

// Associate the session with any existing SSO session

128

if (ssoId != null)

129

associate(ssoId, request.getSessionInternal(true));

130

return (true);

131

}

132

133

// Is there an SSO session against which we can try to reauthenticate?

134

if (ssoId != null) {

135

if (log.isDebugEnabled())

136

log.debug("SSO Id " + ssoId + " set; attempting " +

137

"reauthentication");

138

/* Try to reauthenticate using data cached by SSO. If this fails,

139

either the original SSO logon was of DIGEST or SSL (which

140

we can't reauthenticate ourselves because there is no

141

cached username and password), or the realm denied

142

the user's reauthentication for some reason.

143

In either case we have to prompt the user for a logon */

144

if (reauthenticateFromSSO(ssoId, request))

145

return true;

146

}

147

148

// Validate any credentials already included with this request

149

String username = null;

150

String password = null;

151

152

MessageBytes authorization =

153

request.getCoyoteRequest().getMimeHeaders()

154

.getValue("authorization");

155

156

if (authorization != null) {

157

authorization.toBytes();

158

ByteChunk authorizationBC = authorization.getByteChunk();

159

if (authorizationBC.startsWithIgnoreCase("basic ", 0)) {

160

authorizationBC.setOffset(authorizationBC.getOffset() + 6);

161

// FIXME: Add trimming

162

// authorizationBC.trim();

163

164

CharChunk authorizationCC = authorization.getCharChunk();

165

Base64.decode(authorizationBC, authorizationCC);

166

167

// Get username and password

168

int colon = authorizationCC.indexOf(':');

169

if (colon < 0) {

170

username = authorizationCC.toString();

171

} else {

172

char[] buf = authorizationCC.getBuffer();

173

username = new String(buf, 0, colon);

174

password = new String(buf, colon + 1,

175

authorizationCC.getEnd() - colon - 1);

176

}

177

178

authorizationBC.setOffset(authorizationBC.getOffset() - 6);

179

}

180

181

principal = context.getRealm().authenticate(username, password);

182

if (principal != null) {

183

184

username, password);

185

return (true);

186

}

187

}

188

189

190

// Send an "unauthorized" response and an appropriate challenge

191

MessageBytes authenticate =

192

response.getCoyoteResponse().getMimeHeaders()

193

.addValue(AUTHENTICATE_BYTES, 0, AUTHENTICATE_BYTES.length);

194

CharChunk authenticateCC = authenticate.getCharChunk();

195

authenticateCC.append("Basic realm=\"");

196

if (config.getRealmName() == null) {

197

authenticateCC.append(request.getServerName());

198

authenticateCC.append(':');

199

authenticateCC.append(Integer.toString(request.getServerPort()));

200

} else {

201

authenticateCC.append(config.getRealmName());

202

}

203

authenticateCC.append('\"');

204

authenticate.toChars();

205

response.sendError(HttpServletResponse.SC_UNAUTHORIZED);

206

//response.flushBuffer();

207

return (false);

208

209

}

210

211

212

}

Older »