Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:Update
tomcat.4279
tomcat-8.0.36-CVE-2016-0762.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tomcat-8.0.36-CVE-2016-0762.patch of Package tomcat.4279
Index: java/org/apache/catalina/realm/JDBCRealm.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- java/org/apache/catalina/realm/JDBCRealm.java (date 1465480394000) +++ java/org/apache/catalina/realm/JDBCRealm.java (revision ) @@ -381,6 +381,9 @@ String dbCredentials = getPassword(username); if (dbCredentials == null) { + // User was not found in the database. + // Waste a bit of time as not to reveal that the user does not exist. + getCredentialHandler().mutate(credentials); if (containerLog.isTraceEnabled()) containerLog.trace(sm.getString("jdbcRealm.authenticateFailure", username)); Index: java/org/apache/catalina/realm/MemoryRealm.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- java/org/apache/catalina/realm/MemoryRealm.java (date 1465480394000) +++ java/org/apache/catalina/realm/MemoryRealm.java (revision ) @@ -121,6 +121,10 @@ validated = false; } else { if (credentials == null || principal.getPassword() == null) { + // User was not found in the database or the password was null + // Waste a bit of time as not to reveal that the user does not exist. + getCredentialHandler().mutate(credentials); + if (log.isDebugEnabled()) log.debug(sm.getString("memoryRealm.authenticateFailure", username)); return (null); Index: java/org/apache/catalina/realm/DataSourceRealm.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- java/org/apache/catalina/realm/DataSourceRealm.java (date 1465480394000) +++ java/org/apache/catalina/realm/DataSourceRealm.java (revision ) @@ -289,10 +289,22 @@ protected Principal authenticate(Connection dbConnection, String username, String credentials) { + // No user or no credentials + // Can't possibly authenticate, don't bother the database then + if (username == null || credentials == null) { + if (containerLog.isTraceEnabled()) + containerLog.trace(sm.getString("dataSourceRealm.authenticateFailure", + username)); + return null; + } String dbCredentials = getPassword(dbConnection, username); - if (credentials == null || dbCredentials == null) { + if (dbCredentials == null) { + // User was not found in the database. + // Waste a bit of time as not to reveal that the user does not exist. + getCredentialHandler().mutate(credentials); + if (containerLog.isTraceEnabled()) containerLog.trace( sm.getString("dataSourceRealm.authenticateFailure", Index: java/org/apache/catalina/realm/RealmBase.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- java/org/apache/catalina/realm/RealmBase.java (date 1465480394000) +++ java/org/apache/catalina/realm/RealmBase.java (revision ) @@ -450,6 +450,18 @@ String serverCredentials = getPassword(username); + if (serverCredentials == null) { + // User was not found + // Waste a bit of time as not to reveal that the user does not exist. + getCredentialHandler().mutate(credentials); + + if (containerLog.isTraceEnabled()) { + containerLog.trace(sm.getString("realmBase.authenticateFailure", + username)); + } + return null; + } + boolean validated = getCredentialHandler().matches(credentials, serverCredentials); if (!validated) { if (containerLog.isTraceEnabled()) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
