Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2021-12-12 21:27:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and      /work/SRC/openSUSE:Factory/.tomcat.new.2520 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "tomcat"

Sun Dec 12 21:27:48 2021 rev:79 rq:940058 version:9.0.43

Changes:
--------
--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes    2021-11-10 
21:47:20.695834900 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.2520/tomcat.changes  2021-12-12 
21:28:34.160375656 +0100
@@ -1,0 +2,7 @@
+Fri Dec 10 11:20:54 UTC 2021 - Michele Bussolotto <michele.bussolo...@suse.com>
+
+- Fix NPE in JNDIRealm, when userRoleAttribute is not set (bsc#1193569)
+- Added patch:
+  * tomcat-9.0-NPE-JNDIRealm.patch
+
+-------------------------------------------------------------------

New:
----
  tomcat-9.0-NPE-JNDIRealm.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ tomcat.spec ++++++
--- /var/tmp/diff_new_pack.dbjeYU/_old  2021-12-12 21:28:35.276376317 +0100
+++ /var/tmp/diff_new_pack.dbjeYU/_new  2021-12-12 21:28:35.280376319 +0100
@@ -86,6 +86,7 @@
 Patch7:         tomcat-9.0-CVE-2021-41079.patch
 Patch8:         tomcat-9.0-CVE-2021-33037.patch
 Patch9:         tomcat-9.0-CVE-2021-30640.patch
+Patch10:        tomcat-9.0-NPE-JNDIRealm.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -263,6 +264,7 @@
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl


++++++ tomcat-9.0-NPE-JNDIRealm.patch ++++++
Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/realm/JNDIRealm.java
===================================================================
--- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/realm/JNDIRealm.java
+++ apache-tomcat-9.0.43-src/java/org/apache/catalina/realm/JNDIRealm.java
@@ -2805,6 +2805,9 @@ public class JNDIRealm extends RealmBase
      * @return String the escaped/encoded result
      */
     protected String doFilterEscaping(String inString) {
+        if (inString == null) {
+            return null;
+        }
         StringBuilder buf = new StringBuilder(inString.length());
         for (int i = 0; i < inString.length(); i++) {
             char c = inString.charAt(i);
@@ -2897,6 +2900,9 @@ public class JNDIRealm extends RealmBase
      * @return      The string representation of the attribute value
      */
     protected String doAttributeValueEscaping(String input) {
+        if (input == null) {
+            return null;
+        }
         int len = input.length();
         StringBuilder result = new StringBuilder();
 
Index: 
apache-tomcat-9.0.43-src/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
===================================================================
--- 
apache-tomcat-9.0.43-src.orig/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
+++ 
apache-tomcat-9.0.43-src/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
@@ -56,26 +56,33 @@ public class TestJNDIRealmIntegration {
     @Parameterized.Parameters(name = "{index}: user[{5}], pwd[{6}]")
     public static Collection<Object[]> parameters() {
         List<Object[]> parameterSets = new ArrayList<>();
-        for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, 
ROLE_SEARCH_C }) {
-            addUsers(USER_PATTERN, null, null, roleSearch, ROLE_BASE, 
parameterSets);
-            addUsers(null, USER_SEARCH, USER_BASE, roleSearch, ROLE_BASE, 
parameterSets);
+        for (String userRoleAttribute : new String[] { "cn", null }) {
+            for (String roleSearch : new String[] { ROLE_SEARCH_A, 
ROLE_SEARCH_B, ROLE_SEARCH_C }) {
+                if (userRoleAttribute != null) {
+                    addUsers(USER_PATTERN, null, null, roleSearch, ROLE_BASE, 
userRoleAttribute, parameterSets);
+                    addUsers(null, USER_SEARCH, USER_BASE, roleSearch, 
ROLE_BASE, userRoleAttribute, parameterSets);
+                }
+            }
+            parameterSets.add(new Object[] { 
"cn={0},ou=s\\;ub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A,
+                    "{3},ou=people,dc=example,dc=com", "testsub", "test", new 
String[] { "TestGroup4" },
+                    userRoleAttribute });
         }
-        parameterSets.add(new Object[] { 
"cn={0},ou=s\\;ub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A,
-                "{3},ou=people,dc=example,dc=com", "testsub", "test", new 
String[] {"TestGroup4"} });
         return parameterSets;
     }
 
 
     private static void addUsers(String userPattern, String userSearch, String 
userBase, String roleSearch,
-            String roleBase, List<Object[]> parameterSets) {
+            String roleBase, String userRoleAttribute, List<Object[]> 
parameterSets) {
         parameterSets.add(new Object[] { userPattern, userSearch, userBase, 
roleSearch, roleBase,
-                "test", "test", new String[] {"TestGroup"} });
+                "test", "test", new String[] {"TestGroup"}, userRoleAttribute 
});
         parameterSets.add(new Object[] { userPattern, userSearch, userBase, 
roleSearch, roleBase,
-                "t;", "test", new String[] {"TestGroup"} });
+                "t;", "test", new String[] {"TestGroup"}, userRoleAttribute });
         parameterSets.add(new Object[] { userPattern, userSearch, userBase, 
roleSearch, roleBase,
-                "t*", "test", new String[] {"TestGroup"} });
+                "t*", "test", new String[] {"TestGroup"}, userRoleAttribute });
         parameterSets.add(new Object[] { userPattern, userSearch, userBase, 
roleSearch, roleBase,
-                "t=", "test", new String[] {"Test<Group*2", "Test>Group*3"} });
+                "t=", "test", new String[] {"Test<Group*2", "Test>Group*3"}, 
userRoleAttribute });
+        parameterSets.add(new Object[] { userPattern, userSearch, userBase, 
roleSearch, roleBase,
+                "norole", "test", new String[0], userRoleAttribute });
     }
 
 
@@ -95,6 +102,8 @@ public class TestJNDIRealmIntegration {
     public String credentials;
     @Parameter(7)
     public String[] groups;
+    @Parameter(8)
+    public String realmConfigUserRoleAttribute;
 
     @Test
     public void testAuthenication() throws Exception {
@@ -105,7 +114,7 @@ public class TestJNDIRealmIntegration {
         realm.setUserPattern(realmConfigUserPattern);
         realm.setUserSearch(realmConfigUserSearch);
         realm.setUserBase(realmConfigUserBase);
-        realm.setUserRoleAttribute("cn");
+        realm.setUserRoleAttribute(realmConfigUserRoleAttribute);
         realm.setRoleName("cn");
         realm.setRoleBase(realmConfigRoleBase);
         realm.setRoleSearch(realmConfigRoleSearch);
@@ -197,6 +206,17 @@ public class TestJNDIRealmIntegration {
             result = conn.processOperation(addUserTestEquals);
             Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode());
 
+            AddRequest addUserNoRole = new AddRequest(
+                    "dn: cn=norole,ou=people,dc=example,dc=com",
+                    "objectClass: top",
+                    "objectClass: person",
+                    "objectClass: organizationalPerson",
+                    "cn: norole",
+                    "sn: No Role",
+                    "userPassword: test");
+            result = conn.processOperation(addUserNoRole);
+            Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode());
+
             AddRequest addGroupTest = new AddRequest(
                     "dn: cn=TestGroup,ou=people,dc=example,dc=com",
                     "objectClass: top",
Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
@@ -107,6 +107,10 @@
   <subsection name="Catalina">
     <changelog>
       <fix>
+        <bug>63508</bug>: NPE in JNDIRealm when no 
<code>userRoleAttribute</code>
+        is given. (fschumacher)
+      </fix>
+      <fix>
         <bug>65106</bug>: Fix the ConfigFileLoader handling of file URIs when
         running under a security manager on some JREs. (markt)
       </fix>

Reply via email to