svn commit: r936541 - in /tomcat/tc5.5.x/trunk/container: catalina/src/share/org/apache/catalina/authenticator/ webapps/docs/

markt Wed, 21 Apr 2010 15:14:14 -0700

Author: markt
Date: Wed Apr 21 22:13:26 2010
New Revision: 936541

URL: http://svn.apache.org/viewvc?rev=936541&view=rev
Log:
Fix CVE-2010-1157.
Prevent possible disclosure of host name or IP address via the HTTP 
WWW-Authenticate header when using BASIC or DIGEST authentication.


Modified:
    
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
    
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java
    
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java
    tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
    tomcat/tc5.5.x/trunk/container/webapps/docs/realm-howto.xml

Modified: 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=936541&r1=936540&r2=936541&view=diff
==============================================================================
--- 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
 (original)
+++ 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
 Wed Apr 21 22:13:26 2010
@@ -99,6 +99,11 @@ public abstract class AuthenticatorBase
 
 
     /**
+     * Default authentication realm name.
+     */
+    protected static final String REALM_NAME = "Authentication required";
+
+    /**
      * The message digest algorithm to be used when generating session
      * identifiers.  This must be an algorithm supported by the
      * <code>java.security.MessageDigest</code> class on your platform.

Modified: 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java?rev=936541&r1=936540&r2=936541&view=diff
==============================================================================
--- 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java
 (original)
+++ 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java
 Wed Apr 21 22:13:26 2010
@@ -194,9 +194,7 @@ public class BasicAuthenticator
         CharChunk authenticateCC = authenticate.getCharChunk();
         authenticateCC.append("Basic realm=\"");
         if (config.getRealmName() == null) {
-            authenticateCC.append(request.getServerName());
-            authenticateCC.append(':');
-            authenticateCC.append(Integer.toString(request.getServerPort()));
+            authenticateCC.append(REALM_NAME);
         } else {
             authenticateCC.append(config.getRealmName());
         }

Modified: 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java?rev=936541&r1=936540&r2=936541&view=diff
==============================================================================
--- 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java
 (original)
+++ 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java
 Wed Apr 21 22:13:26 2010
@@ -406,8 +406,7 @@ public class DigestAuthenticator
         // Get the realm name
         String realmName = config.getRealmName();
         if (realmName == null)
-            realmName = request.getServerName() + ":"
-                + request.getServerPort();
+            realmName = REALM_NAME;
 
         byte[] buffer = null;
         synchronized (md5Helper) {

Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=936541&r1=936540&r2=936541&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Wed Apr 21 
22:13:26 2010
@@ -51,6 +51,11 @@
   <subsection name="Catalina">
     <changelog>
       <fix>
+        Fix CVE-2010-1157. Prevent possible disclosure of host name or IP
+        address via the HTTP WWW-Authenticate header when using BASIC or DIGEST
+        authentication. (markt)
+      </fix>
+      <fix>
         <bug>44041</bug>, <bug>48694</bug>: Fix duplicate class definition
         under load. Avoid possible deadlock in class loading.
         (markt/kkolinko)

Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/realm-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/realm-howto.xml?rev=936541&r1=936540&r2=936541&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/realm-howto.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/realm-howto.xml Wed Apr 21 
22:13:26 2010
@@ -236,7 +236,11 @@ java org.apache.catalina.realm.RealmBase
    <code>{cleartext-password}</code> must be replaced with 
    <code>{username}:{realm}:{cleartext-password}</code>. For example, in a
    development environment this might take the form
-   <code>testUser:localhost:8080:testPassword</code>.</p>
+   <code>testUser:Authentication required:testPassword</code>. The value for
+   <code>{realm}</code> is taken from the <code>&lt;realm-name&gt;</code>
+   element of the web application's <code>&lt;login-config&gt;</code>. If
+   not specified in web.xml, the default value of <code>Authentication
+   required</code> is used.</p>
 
 <p>To use either of the above techniques, the
 <code>$CATALINA_HOME/server/lib/catalina.jar</code> file will need to be



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r936541 - in /tomcat/tc5.5.x/trunk/container: catalina/src/share/org/apache/catalina/authenticator/ webapps/docs/

Reply via email to