Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AB45918A3B for ; Mon, 5 Oct 2015 04:15:28 +0000 (UTC) Received: (qmail 55414 invoked by uid 500); 5 Oct 2015 04:15:28 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 55336 invoked by uid 500); 5 Oct 2015 04:15:28 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 55326 invoked by uid 99); 5 Oct 2015 04:15:28 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Oct 2015 04:15:28 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 94433C0E3A for ; Mon, 5 Oct 2015 04:15:27 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.794 X-Spam-Level: * X-Spam-Status: No, score=1.794 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-0.006] autolearn=disabled Received: from mx1-us-east.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id T9yEQ36Tw0qk for ; Mon, 5 Oct 2015 04:15:26 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTP id 004BD42B32 for ; Mon, 5 Oct 2015 04:15:26 +0000 (UTC) Received: from svn01-us-west.apache.org (svn.apache.org [10.41.0.6]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 85936E045B for ; Mon, 5 Oct 2015 04:15:25 +0000 (UTC) Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 4E77C3A022F for ; Mon, 5 Oct 2015 04:15:25 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1706745 - in /tomcat/trunk/java/org/apache/catalina/realm: JDBCRealm.java MemoryRealm.java RealmBase.java Date: Mon, 05 Oct 2015 04:15:24 -0000 To: dev@tomcat.apache.org From: schultz@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20151005041525.4E77C3A022F@svn01-us-west.apache.org> Author: schultz Date: Mon Oct 5 04:15:24 2015 New Revision: 1706745 URL: http://svn.apache.org/viewvc?rev=1706745&view=rev Log: Perform null-checking on input and stored credentials before passing them off to CredentialHandlers for matching. Modified: tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java Modified: tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1706745&r1=1706744&r2=1706745&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java (original) +++ tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java Mon Oct 5 04:15:24 2015 @@ -386,6 +386,13 @@ public class JDBCRealm // Look up the user's credentials String dbCredentials = getPassword(username); + if (credentials == null || dbCredentials == null) { + if (containerLog.isTraceEnabled()) + containerLog.trace(sm.getString("jdbcRealm.authenticateFailure", + username)); + return null; + } + // Validate the user's credentials boolean validated = getCredentialHandler().matches(credentials, dbCredentials); Modified: tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java?rev=1706745&r1=1706744&r2=1706745&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java (original) +++ tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java Mon Oct 5 04:15:24 2015 @@ -119,6 +119,11 @@ public class MemoryRealm extends RealmB if (principal == null) { validated = false; } else { + if (credentials == null || principal.getPassword() == null) { + if (log.isDebugEnabled()) + log.debug(sm.getString("memoryRealm.authenticateFailure", username)); + return (null); + } validated = getCredentialHandler().matches(credentials, principal.getPassword()); } Modified: tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java?rev=1706745&r1=1706744&r2=1706745&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java (original) +++ tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java Mon Oct 5 04:15:24 2015 @@ -305,6 +305,14 @@ public abstract class RealmBase extends String serverCredentials = getPassword(username); + if (credentials == null || serverCredentials == null) { + if (containerLog.isTraceEnabled()) { + containerLog.trace(sm.getString("realmBase.authenticateFailure", + username)); + } + return null; + } + boolean validated = getCredentialHandler().matches(credentials, serverCredentials); if (!validated) { if (containerLog.isTraceEnabled()) { --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org