Author: markt
Date: Wed Apr 21 22:12:05 2010
New Revision: 936540
URL: http://svn.apache.org/viewvc?rev=936540&view=rev
Log:
Fix CVE-2010-1157.
Prevent possible disclosure of host name or IP address via the HTTP
WWW-Authenticate header when using BASIC or DIGEST authentication.
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/realm-howto.xml
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=936540&r1=936539&r2=936540&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Wed Apr 21 22:12:05 2010
@@ -99,6 +99,11 @@ public abstract class AuthenticatorBase
/**
+ * Default authentication realm name.
+ */
+ protected static final String REALM_NAME = "Authentication required";
+
+ /**
* The message digest algorithm to be used when generating session
* identifiers. This must be an algorithm supported by the
* <code>java.security.MessageDigest</code> class on your platform.
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java?rev=936540&r1=936539&r2=936540&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
Wed Apr 21 22:12:05 2010
@@ -194,9 +194,7 @@ public class BasicAuthenticator
CharChunk authenticateCC = authenticate.getCharChunk();
authenticateCC.append("Basic realm=\"");
if (config.getRealmName() == null) {
- authenticateCC.append(request.getServerName());
- authenticateCC.append(':');
- authenticateCC.append(Integer.toString(request.getServerPort()));
+ authenticateCC.append(REALM_NAME);
} else {
authenticateCC.append(config.getRealmName());
}
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?rev=936540&r1=936539&r2=936540&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
Wed Apr 21 22:12:05 2010
@@ -406,8 +406,7 @@ public class DigestAuthenticator
// Get the realm name
String realmName = config.getRealmName();
if (realmName == null)
- realmName = request.getServerName() + ":"
- + request.getServerPort();
+ realmName = REALM_NAME;
byte[] buffer = null;
synchronized (md5Helper) {
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=936540&r1=936539&r2=936540&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Apr 21 22:12:05 2010
@@ -41,6 +41,11 @@
<section name="Tomcat 6.0.27 (jfclere)">
<subsection name="Catalina">
<changelog>
+ <fix>
+ Fix CVE-2010-1157. Prevent possible disclosure of host name or IP
+ address via the HTTP WWW-Authenticate header when using BASIC or DIGEST
+ authentication. (markt)
+ </fix>
<add>
Include context name when reporting memory leaks to aid root cause
identification. (markt)
Modified: tomcat/tc6.0.x/trunk/webapps/docs/realm-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/realm-howto.xml?rev=936540&r1=936539&r2=936540&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/realm-howto.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/realm-howto.xml Wed Apr 21 22:12:05 2010
@@ -209,7 +209,11 @@ java org.apache.catalina.realm.RealmBase
<code>{cleartext-password}</code> must be replaced with
<code>{username}:{realm}:{cleartext-password}</code>. For example, in a
development environment this might take the form
- <code>testUser:localhost:8080:testPassword</code>.</p>
+ <code>testUser:Authentication required:testPassword</code>. The value for
+ <code>{realm}</code> is taken from the <code><realm-name></code>
+ element of the web application's <code><login-config></code>. If
+ not specified in web.xml, the default value of <code>Authentication
+ required</code> is used.</p>
<p>To use either of the above techniques, the
<code>$CATALINA_HOME/lib/catalina.jar</code> and
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
