tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: [PATCH] Bug 22715
Date Thu, 04 Sep 2003 19:53:38 GMT

----- Original Message -----
From: "Mark Thomas" <medthomas@ntlworld.com>
To: <tomcat-dev@jakarta.apache.org>
Sent: Thursday, September 04, 2003 11:46 AM
Subject: [PATCH] Bug 22715


> Resending. I seem to be having e-mail problems...
>
> The patches below (TC5 and TC4) fix bug 22715 in that they ensure that xml
> entities are correctly written back out to the password field of
> tomcat-users.xml
>
> I did consider a more general patch to allow xml entities in user names,
group
> names and role names but wasn't sure of the potential side effects. I also
> think that users are far more likely to want to use these characters in
> passwords than in user names, group names or role names. Thoughts? If the
> general consensus is that a more general patch is required, I am happy to
> produce one.
>

Depending on how/if UDBR wants to support CLIENT-CERT auth, you'll likely
need to escape the user name as well (the full X509 Subject may contain
embedded &quot; characters in it).

> Mark
>
>
> Index: catalina/src/share/org/apache/catalina/users/MemoryUser.java
> ===================================================================
> RCS file:
>
/home/cvspublic/jakarta-tomcat-catalina/catalina/src/share/org/apache/catali
> na/users/MemoryUser.java,v
> retrieving revision 1.2
> diff -u -r1.2 MemoryUser.java
> --- catalina/src/share/org/apache/catalina/users/MemoryUser.java 2 Sep
2003
> 21:22:03 -0000 1.2
> +++ catalina/src/share/org/apache/catalina/users/MemoryUser.java 3 Sep
2003
> 23:01:54 -0000
> @@ -70,6 +70,7 @@
>  import org.apache.catalina.Group;
>  import org.apache.catalina.Role;
>  import org.apache.catalina.UserDatabase;
> +import org.apache.catalina.util.RequestUtil;
>
>
>  /**
> @@ -296,7 +297,7 @@
>          StringBuffer sb = new StringBuffer("<user username=\"");
>          sb.append(username);
>          sb.append("\" password=\"");
> -        sb.append(password);
> +        sb.append(RequestUtil.filter(password));
>          sb.append("\"");
>          if (fullName != null) {
>              sb.append(" fullName=\"");
>
>
>
> Index: catalina/src/share/org/apache/catalina/users/MemoryUser.java
> ===================================================================
> RCS file:
>
/home/cvspublic/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/us
> ers/MemoryUser.java,v
> retrieving revision 1.5
> diff -u -r1.5 MemoryUser.java
> --- catalina/src/share/org/apache/catalina/users/MemoryUser.java 10 Feb
2002
> 08:06:20 -0000 1.5
> +++ catalina/src/share/org/apache/catalina/users/MemoryUser.java 3 Sep
2003
> 22:45:49 -0000
> @@ -68,8 +68,8 @@
>  import java.util.Iterator;
>  import org.apache.catalina.Group;
>  import org.apache.catalina.Role;
> -import org.apache.catalina.User;
>  import org.apache.catalina.UserDatabase;
> +import org.apache.catalina.util.RequestUtil;
>
>
>  /**
> @@ -296,7 +296,7 @@
>          StringBuffer sb = new StringBuffer("<user username=\"");
>          sb.append(username);
>          sb.append("\" password=\"");
> -        sb.append(password);
> +        sb.append(RequestUtil.filter(password));
>          sb.append("\"");
>          if (fullName != null) {
>              sb.append(" fullName=\"");
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>


Mime
View raw message