Author: markt
Date: Mon Nov 9 13:04:52 2009
New Revision: 834047
URL: http://svn.apache.org/viewvc?rev=834047&view=rev
Log:
Fix CVE-2009-3548.
When installing using defaults, don't create an administrative user with a
blank password
Note: This is already public - it was discussed on the users list. The formal
announcement will go out shortly.
The patch also includes making the Manager and Host-Manager applications
separately selectable with the addition of an administrative user only enabled
if one of the manager apps is selected
Modified:
tomcat/trunk/res/tomcat.nsi
Modified: tomcat/trunk/res/tomcat.nsi
URL:
http://svn.apache.org/viewvc/tomcat/trunk/res/tomcat.nsi?rev=834047&r1=834046&r2=834047&view=diff
==============================================================================
--- tomcat/trunk/res/tomcat.nsi (original)
+++ tomcat/trunk/res/tomcat.nsi Mon Nov 9 13:04:52 2009
@@ -98,7 +98,9 @@
LangString DESC_SecTomcatNative ${LANG_ENGLISH} "Install APR based Tomcat
native .dll for better performance and scalability in production environments."
LangString DESC_SecMenu ${LANG_ENGLISH} "Create a Start Menu program group
for Tomcat."
LangString DESC_SecDocs ${LANG_ENGLISH} "Install the Tomcat documentation
bundle. This include documentation on the servlet container and its
configuration options, on the Jasper JSP page compiler, as well as on the
native webserver connectors."
- LangString DESC_SecExamples ${LANG_ENGLISH} "Installs some examples web
applications."
+ LangString DESC_SecManager ${LANG_ENGLISH} "Install the Tomcat Manager
administrative web application."
+ LangString DESC_SecHostManager ${LANG_ENGLISH} "Install the Tomcat Host
Manager administrative web application."
+ LangString DESC_SecExamples ${LANG_ENGLISH} "Install the Servlet and JSP
example web applications."
;Language
!insertmacro MUI_LANGUAGE English
@@ -149,10 +151,6 @@
File conf\*.*
SetOutPath $INSTDIR\webapps\ROOT
File /r webapps\ROOT\*.*
- SetOutPath $INSTDIR\webapps\host-manager
- File /r webapps\host-manager\*.*
- SetOutPath $INSTDIR\webapps\manager
- File /r webapps\manager\*.*
Call configure
Call findJavaPath
@@ -292,6 +290,26 @@
SectionEnd
+Section "Manager" SecManager
+
+ SectionIn 1 3
+
+ SetOverwrite on
+ SetOutPath $INSTDIR\webapps\manager
+ File /r webapps\manager\*.*
+
+SectionEnd
+
+Section "Host Manager" SecHostManager
+
+ SectionIn 3
+
+ SetOverwrite on
+ SetOutPath $INSTDIR\webapps\host-manager
+ File /r webapps\host-manager\*.*
+
+SectionEnd
+
Section "Examples" SecExamples
SectionIn 3
@@ -339,7 +357,38 @@
Function SetConfiguration
!insertmacro MUI_HEADER_TEXT "$(TEXT_CONF_TITLE)" "$(TEXT_CONF_SUBTITLE)"
+
+ SectionGetFlags ${SecManager} $0
+ IntOp $0 $0 & ${SF_SELECTED}
+ IntCmp $0 0 0 Enable Enable
+ SectionGetFlags ${SecHostManager} $0
+ IntOp $0 $0 & ${SF_SELECTED}
+ IntCmp $0 0 Disable 0 0
+
+Enable:
+ ; Enable the user and password controls if the manager or host-manager app is
+ ; being installed
+ !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 5" "HWND"
+ !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 5" "Flags" ""
+ EnableWindow $0 1
+ !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 7" "HWND"
+ !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 7" "Flags" ""
+ EnableWindow $0 1
+ Goto Display
+
+Disable:
+ ; Disable the user and password controls if neither the manager nor
+ ; host-manager app is being installed
+ !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 5" "HWND"
+ !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 5" "Flags"
"DISABLED"
+ EnableWindow $0 0
+ !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 7" "HWND"
+ !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 7" "Flags"
"DISABLED"
+ EnableWindow $0 0
+
+Display:
!insertmacro MUI_INSTALLOPTIONS_DISPLAY "config.ini"
+
FunctionEnd
Function Void
@@ -355,6 +404,8 @@
!insertmacro MUI_DESCRIPTION_TEXT ${SecTomcatNative} $(DESC_SecTomcatNative)
!insertmacro MUI_DESCRIPTION_TEXT ${SecMenu} $(DESC_SecMenu)
!insertmacro MUI_DESCRIPTION_TEXT ${SecDocs} $(DESC_SecDocs)
+ !insertmacro MUI_DESCRIPTION_TEXT ${SecManager} $(DESC_SecManager)
+ !insertmacro MUI_DESCRIPTION_TEXT ${SecHostManager} $(DESC_SecHostManager)
!insertmacro MUI_DESCRIPTION_TEXT ${SecExamples} $(DESC_SecExamples)
!insertmacro MUI_FUNCTION_DESCRIPTION_END
@@ -556,11 +607,13 @@
Call xmlEscape
Pop $R2
+ StrCmp $R1 "" +4 0 ; Blank user - do not add anything to tomcat-users.xml
+ StrCmp $R2 "" +3 0 ; Blank password - do not add anything to
tomcat-users.xml
StrCpy $R5 '<user name="$R1" password="$R2" roles="admin,manager" />'
-
+ DetailPrint 'Admin user added: "$R1"'
+
Silent:
DetailPrint 'HTTP/1.1 Connector configured on port "$R0"'
- DetailPrint 'Admin user added: "$R1"'
SetOutPath $TEMP
File /r confinstall
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
