Return-Path: 
 <tomcat-dev-return-16780-qmlist-jakarta-archive-tomcat-dev=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org
Received: (qmail 89996 invoked from network); 23 Aug 2002 12:38:25 -0000
Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131)
  by daedalus.apache.org with SMTP; 23 Aug 2002 12:38:25 -0000
Received: (qmail 22152 invoked by uid 97); 23 Aug 2002 12:38:46 -0000
Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org
Received: (qmail 22126 invoked by uid 97); 23 Aug 2002 12:38:45 -0000
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:tomcat-dev-subscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-dev-help@jakarta.apache.org>
List-Post: <mailto:tomcat-dev@jakarta.apache.org>
List-Id: "Tomcat Developers List" <tomcat-dev.jakarta.apache.org>
Reply-To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 22106 invoked by uid 50); 23 Aug 2002 12:38:44 -0000
Date: 23 Aug 2002 12:38:44 -0000
Message-ID: <20020823123844.22105.qmail@nagoya.betaversion.org>
From: bugzilla@apache.org
To: tomcat-dev@jakarta.apache.org
Cc: 
Subject: DO NOT REPLY [Bug 11966]  -
    JDBCRealm.authenticate() does not validate pasword field
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11966>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11966

JDBCRealm.authenticate() does not validate pasword field

andrewconrad@iname.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |andrewconrad@iname.com
             Status|NEW                         |ASSIGNED



------- Additional Comments From andrewconrad@iname.com  2002-08-23 12:38 -------
The problem is in JDBCRealm.java.   The problem is that the Password String is 
trimmed before testing for null.   The patch is as follows

--- C:/modules/apache.org/jakarta-tomcat-
4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java	9 Jun 2002 
02:19:43 -0000	1.21
+++ C:/modules/apache.org/jakarta-tomcat-
4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java	23 Aug 2002 
12:35:19 -0000
@@ -444,12 +444,13 @@
         PreparedStatement stmt = credentials(dbConnection, username);
         ResultSet rs = stmt.executeQuery();
         while (rs.next()) {
-            dbCredentials = rs.getString(1).trim();
+            dbCredentials = rs.getString(1);
         }
         rs.close();
         if (dbCredentials == null) {
             return (null);
         }
+        dbCredentials.trim(); //cannot trim until we test for null
 
         // Validate the user's credentials
         boolean validated = false;

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>