(tomcat) branch main updated: Remove secret init-param default value

[remm]

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new 8dccf2924b Remove secret init-param default value
8dccf2924b is described below

commit 8dccf2924b51f668df8f0d9902c7e5f192a2db09
Author: remm <r...@apache.org>
AuthorDate: Tue Sep 10 15:12:50 2024 +0200

    Remove secret init-param default value
    
    Found by Coverity.
---
 java/org/apache/catalina/servlets/LocalStrings.properties | 1 +
 java/org/apache/catalina/servlets/WebdavServlet.java      | 4 +++-
 webapps/docs/changelog.xml                                | 4 ++++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/catalina/servlets/LocalStrings.properties 
b/java/org/apache/catalina/servlets/LocalStrings.properties
index 38807654a3..3c0f381c72 100644
--- a/java/org/apache/catalina/servlets/LocalStrings.properties
+++ b/java/org/apache/catalina/servlets/LocalStrings.properties
@@ -56,3 +56,4 @@ directory.title=Directory Listing For [{0}]
 webdavservlet.externalEntityIgnored=The request included a reference to an 
external entity with PublicID [{0}] and SystemID [{1}] which was ignored
 webdavservlet.inputstreamclosefail=Failed to close the inputStream of [{0}]
 webdavservlet.jaxpfailed=JAXP initialization failed
+webdavservlet.noSecret=Generation of secure lock ids need a configured 
'secret' init parameter on the Servlet
diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java 
b/java/org/apache/catalina/servlets/WebdavServlet.java
index f3280fde49..155d1590d6 100644
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
@@ -240,7 +240,7 @@ public class WebdavServlet extends DefaultServlet 
implements PeriodicEventListen
     /**
      * Secret information used to generate reasonably secure lock ids.
      */
-    private String secret = "catalina";
+    private String secret = null;
 
 
     /**
@@ -264,6 +264,8 @@ public class WebdavServlet extends DefaultServlet 
implements PeriodicEventListen
 
         if (getServletConfig().getInitParameter("secret") != null) {
             secret = getServletConfig().getInitParameter("secret");
+        } else {
+            log(sm.getString("webdavservlet.noSecret"));
         }
 
         if (getServletConfig().getInitParameter("maxDepth") != null) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 40506dce83..788a5a2682 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -119,6 +119,10 @@
         Add support for the new Servlet API method
         <code>HttpServletResponse.sendEarlyHints()</code>. (markt)
       </add>
+      <update>
+        Remove default value (was <code>catalina</code>) for the
+        <code>secret</code> init parameter of the WebDAV Servlet. (remm)
+      </update>
     </changelog>
   </subsection>
   <subsection name="Coyote">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org