Author: markt
Date: Wed Apr 21 22:13:26 2010
New Revision: 936541
URL: http://svn.apache.org/viewvc?rev=936541&view=rev
Log:
Fix CVE-2010-1157.
Prevent possible disclosure of host name or IP address via the HTTP
WWW-Authenticate header when using BASIC or DIGEST authentication.
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java
tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
tomcat/tc5.5.x/trunk/container/webapps/docs/realm-howto.xml
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=936541&r1=936540&r2=936541&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
Wed Apr 21 22:13:26 2010
@@ -99,6 +99,11 @@ public abstract class AuthenticatorBase
/**
+ * Default authentication realm name.
+ */
+ protected static final String REALM_NAME = "Authentication required";
+
+ /**
* The message digest algorithm to be used when generating session
* identifiers. This must be an algorithm supported by the
* <code>java.security.MessageDigest</code> class on your platform.
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java?rev=936541&r1=936540&r2=936541&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java
Wed Apr 21 22:13:26 2010
@@ -194,9 +194,7 @@ public class BasicAuthenticator
CharChunk authenticateCC = authenticate.getCharChunk();
authenticateCC.append("Basic realm=\"");
if (config.getRealmName() == null) {
- authenticateCC.append(request.getServerName());
- authenticateCC.append(':');
- authenticateCC.append(Integer.toString(request.getServerPort()));
+ authenticateCC.append(REALM_NAME);
} else {
authenticateCC.append(config.getRealmName());
}
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java?rev=936541&r1=936540&r2=936541&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java
Wed Apr 21 22:13:26 2010
@@ -406,8 +406,7 @@ public class DigestAuthenticator
// Get the realm name
String realmName = config.getRealmName();
if (realmName == null)
- realmName = request.getServerName() + ":"
- + request.getServerPort();
+ realmName = REALM_NAME;
byte[] buffer = null;
synchronized (md5Helper) {
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=936541&r1=936540&r2=936541&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Wed Apr 21
22:13:26 2010
@@ -51,6 +51,11 @@
<subsection name="Catalina">
<changelog>
<fix>
+ Fix CVE-2010-1157. Prevent possible disclosure of host name or IP
+ address via the HTTP WWW-Authenticate header when using BASIC or DIGEST
+ authentication. (markt)
+ </fix>
+ <fix>
<bug>44041</bug>, <bug>48694</bug>: Fix duplicate class definition
under load. Avoid possible deadlock in class loading.
(markt/kkolinko)
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/realm-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/realm-howto.xml?rev=936541&r1=936540&r2=936541&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/realm-howto.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/realm-howto.xml Wed Apr 21
22:13:26 2010
@@ -236,7 +236,11 @@ java org.apache.catalina.realm.RealmBase
<code>{cleartext-password}</code> must be replaced with
<code>{username}:{realm}:{cleartext-password}</code>. For example, in a
development environment this might take the form
- <code>testUser:localhost:8080:testPassword</code>.</p>
+ <code>testUser:Authentication required:testPassword</code>. The value for
+ <code>{realm}</code> is taken from the <code><realm-name></code>
+ element of the web application's <code><login-config></code>. If
+ not specified in web.xml, the default value of <code>Authentication
+ required</code> is used.</p>
<p>To use either of the above techniques, the
<code>$CATALINA_HOME/server/lib/catalina.jar</code> file will need to be
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
