Author: markt
Date: Wed Apr 21 22:11:29 2010
New Revision: 936539
URL: http://svn.apache.org/viewvc?rev=936539&view=rev
Log:
Fix CVE-2010-1157.
Prevent possible disclosure of host name or IP address via the HTTP
WWW-Authenticate header when using BASIC or DIGEST authentication.
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
tomcat/trunk/webapps/docs/realm-howto.xml
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=936539&r1=936538&r2=936539&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Wed Apr 21 22:11:29 2010
@@ -107,6 +107,11 @@ public abstract class AuthenticatorBase
protected static final String AUTH_HEADER_NAME = "WWW-Authenticate";
/**
+ * Default authentication realm name.
+ */
+ protected static final String REALM_NAME = "Authentication required";
+
+ /**
* The message digest algorithm to be used when generating session
* identifiers. This must be an algorithm supported by the
* <code>java.security.MessageDigest</code> class on your platform.
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java?rev=936539&r1=936538&r2=936539&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
Wed Apr 21 22:11:29 2010
@@ -165,9 +165,7 @@ public class BasicAuthenticator
StringBuilder value = new StringBuilder(16);
value.append("Basic realm=\"");
if (config.getRealmName() == null) {
- value.append(request.getServerName());
- value.append(':');
- value.append(Integer.toString(request.getServerPort()));
+ value.append(REALM_NAME);
} else {
value.append(config.getRealmName());
}
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?rev=936539&r1=936538&r2=936539&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
(original)
+++
tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
Wed Apr 21 22:11:29 2010
@@ -408,8 +408,7 @@ public class DigestAuthenticator
// Get the realm name
String realmName = config.getRealmName();
if (realmName == null)
- realmName = request.getServerName() + ":"
- + request.getServerPort();
+ realmName = REALM_NAME;
byte[] buffer = null;
synchronized (md5Helper) {
Modified: tomcat/trunk/webapps/docs/realm-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/realm-howto.xml?rev=936539&r1=936538&r2=936539&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/realm-howto.xml (original)
+++ tomcat/trunk/webapps/docs/realm-howto.xml Wed Apr 21 22:11:29 2010
@@ -209,7 +209,11 @@ java org.apache.catalina.realm.RealmBase
<code>{cleartext-password}</code> must be replaced with
<code>{username}:{realm}:{cleartext-password}</code>. For example, in a
development environment this might take the form
- <code>testUser:localhost:8080:testPassword</code>.</p>
+ <code>testUser:Authentication required:testPassword</code>. The value for
+ <code>{realm}</code> is taken from the <code><realm-name></code>
+ element of the web application's <code><login-config></code>. If
+ not specified in web.xml, the default value of <code>Authentication
+ required</code> is used.</p>
<p>To use either of the above techniques, the
<code>$CATALINA_HOME/lib/catalina.jar</code> and
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
