https://issues.apache.org/bugzilla/show_bug.cgi?id=57027
Bug ID: 57027
Summary: DigesterCredentialHandlerBase and HexUtils shall test
for invalid hex characters
Product: Tomcat 8
Version: trunk
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: knst.koli...@gmail.com
This is for the current trunk, for code added after 8.0.14 release. Tomcat
8.0.14 is OK.
The recently added DigestCredentialHandlerBase.matchSaltIterationsEncoded()
does the following:
byte[] salt = HexUtils.fromHexString(hexSalt);
As I mentioned in "Re: r1627000" thread on dev@, the formHexString method does
not check correctness of its arguments. It shall check that
a) The string length is a multiple of 2.
b) All characters are valid hex digits.
The current code will produce bogus results is the above conditions are not
true.
The DigestCredentialHandlerBase class already has facility for reporting
invalid stored credentials, as controlled by its logInvalidStoredCredentials
field.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
