Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Maintenance:6043
tomcat.openSUSE_Leap_42.1_Update
tomcat-8.0.32-CVE-2016-0762.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tomcat-8.0.32-CVE-2016-0762.patch of Package tomcat.openSUSE_Leap_42.1_Update
Index: java/org/apache/catalina/realm/JDBCRealm.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- java/org/apache/catalina/realm/JDBCRealm.java (date 1454441552000) +++ java/org/apache/catalina/realm/JDBCRealm.java (revision ) @@ -389,6 +389,9 @@ String dbCredentials = getPassword(username); if (dbCredentials == null) { + // User was not found in the database. + // Waste a bit of time as not to reveal that the user does not exist. + getCredentialHandler().mutate(credentials); if (containerLog.isTraceEnabled()) containerLog.trace(sm.getString("jdbcRealm.authenticateFailure", username)); Index: java/org/apache/catalina/realm/MemoryRealm.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- java/org/apache/catalina/realm/MemoryRealm.java (date 1454441552000) +++ java/org/apache/catalina/realm/MemoryRealm.java (revision ) @@ -120,6 +120,10 @@ validated = false; } else { if (credentials == null || principal.getPassword() == null) { + // User was not found in the database or the password was null + // Waste a bit of time as not to reveal that the user does not exist. + getCredentialHandler().mutate(credentials); + if (log.isDebugEnabled()) log.debug(sm.getString("memoryRealm.authenticateFailure", username)); return (null); Index: java/org/apache/catalina/realm/DataSourceRealm.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- java/org/apache/catalina/realm/DataSourceRealm.java (date 1454441552000) +++ java/org/apache/catalina/realm/DataSourceRealm.java (revision ) @@ -293,10 +293,23 @@ protected Principal authenticate(Connection dbConnection, String username, String credentials) { + // No user or no credentials + // Can't possibly authenticate, don't bother the database then + if (username == null || credentials == null) { + if (containerLog.isTraceEnabled()) + containerLog.trace(sm.getString("dataSourceRealm.authenticateFailure", + username)); + return null; + } - + + String dbCredentials = getPassword(dbConnection, username); - if (credentials == null || dbCredentials == null) { + if (dbCredentials == null) { + // User was not found in the database. + // Waste a bit of time as not to reveal that the user does not exist. + getCredentialHandler().mutate(credentials); + if (containerLog.isTraceEnabled()) containerLog.trace( sm.getString("dataSourceRealm.authenticateFailure", Index: java/org/apache/catalina/realm/RealmBase.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- java/org/apache/catalina/realm/RealmBase.java (date 1454441552000) +++ java/org/apache/catalina/realm/RealmBase.java (revision ) @@ -449,6 +449,18 @@ String serverCredentials = getPassword(username); + if (serverCredentials == null) { + // User was not found + // Waste a bit of time as not to reveal that the user does not exist. + getCredentialHandler().mutate(credentials); + + if (containerLog.isTraceEnabled()) { + containerLog.trace(sm.getString("realmBase.authenticateFailure", + username)); + } + return null; + } + boolean validated = getCredentialHandler().matches(credentials, serverCredentials); if (!validated) { if (containerLog.isTraceEnabled()) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor