Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
tomcat.26946
tomcat-8.0.53-CVE-2019-17563.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tomcat-8.0.53-CVE-2019-17563.patch of Package tomcat.26946
Index: java/org/apache/catalina/authenticator/AuthenticatorBase.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- java/org/apache/catalina/authenticator/AuthenticatorBase.java (date 1583250885000) +++ java/org/apache/catalina/authenticator/AuthenticatorBase.java (date 1590581825000) @@ -837,10 +837,11 @@ } // Cache the authentication information in our session, if any - if (cache) { - if (session != null) { + if (session != null) { + if (cache) { session.setAuthType(authType); session.setPrincipal(principal); + } else { if (username != null) { session.setNote(Constants.SESS_USERNAME_NOTE, username); } else { Index: java/org/apache/catalina/authenticator/Constants.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- java/org/apache/catalina/authenticator/Constants.java (date 1583250885000) +++ java/org/apache/catalina/authenticator/Constants.java (date 1590581871000) @@ -94,7 +94,10 @@ /** * The previously authenticated principal (if caching is disabled). + * + * @deprecated Unused. Will be removed in Tomcat 10. */ + @Deprecated public static final String FORM_PRINCIPAL_NOTE = "org.apache.catalina.authenticator.PRINCIPAL"; Index: java/org/apache/catalina/authenticator/FormAuthenticator.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- java/org/apache/catalina/authenticator/FormAuthenticator.java (date 1583250885000) +++ java/org/apache/catalina/authenticator/FormAuthenticator.java (date 1590582140000) @@ -150,11 +150,8 @@ principal = context.getRealm().authenticate(username, password); if (principal != null) { - session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); + register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password); if (!matchRequest(request)) { - register(request, response, principal, - HttpServletRequest.FORM_AUTH, - username, password); return true; } } @@ -173,17 +170,6 @@ + session.getIdInternal() + "'"); } - principal = (Principal) - session.getNote(Constants.FORM_PRINCIPAL_NOTE); - register(request, response, principal, HttpServletRequest.FORM_AUTH, - (String) session.getNote(Constants.SESS_USERNAME_NOTE), - (String) session.getNote(Constants.SESS_PASSWORD_NOTE)); - // If we're caching principals we no longer need the username - // and password in the session, so remove them - if (cache) { - session.removeNote(Constants.SESS_USERNAME_NOTE); - session.removeNote(Constants.SESS_PASSWORD_NOTE); - } if (restoreRequest(request, session)) { if (log.isDebugEnabled()) { log.debug("Proceed to restored request"); @@ -198,6 +184,12 @@ } } + // This check has to be after the previous check for a matching request + // because that matching request may also include a cached Principal. + if (checkForCachedAuthentication(request, response, true)) { + return true; + } + // Acquire references to objects we will need to evaluate MessageBytes uriMB = MessageBytes.newInstance(); CharChunk uriCC = uriMB.getCharChunk(); @@ -292,12 +284,7 @@ return false; } - // Save the authenticated Principal in our session - session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); - - // Save the username and password as well - session.setNote(Constants.SESS_USERNAME_NOTE, username); - session.setNote(Constants.SESS_PASSWORD_NOTE, password); + register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password); // Redirect the user to the original request URI (which will cause // the original request to be restored) @@ -476,7 +463,7 @@ } // Is there a saved principal? - if (session.getNote(Constants.FORM_PRINCIPAL_NOTE) == null) { + if (cache && session.getPrincipal() == null || !cache && request.getPrincipal() == null) { return false; } @@ -505,7 +492,6 @@ SavedRequest saved = (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE); session.removeNote(Constants.FORM_REQUEST_NOTE); - session.removeNote(Constants.FORM_PRINCIPAL_NOTE); if (saved == null) { return false; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor