Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=18797

Provide null/zero-length protection

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1058689 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/java/org/apache/catalina/users/LocalStrings.properties b/java/org/apache/catalina/users/LocalStrings.properties
index d13ba39..885b07f 100644 (file)
--- a/java/org/apache/catalina/users/LocalStrings.properties
+++ b/java/org/apache/catalina/users/LocalStrings.properties
@@ -14,9 +14,12 @@
 # limitations under the License.
 
 memoryUserDatabase.invalidGroup=Invalid group name {0}
+memoryUserDatabase.notPersistable=User database is not persistable - no write permissions on directory
+memoryUserDatabase.nullGroup=Null or zero length group name specified. The group will be ignored.
+memoryUserDatabase.nullRole=Null or zero length role name specified. The role will be ignored.
+memoryUserDatabase.nullUser=Null or zero length user name specified. The user will be ignored.
+memoryUserDatabase.readOnly=User database has been configured to be read only. Changes cannot be saved
 memoryUserDatabase.renameOld=Cannot rename original file to {0}
 memoryUserDatabase.renameNew=Cannot rename new file to {0}
 memoryUserDatabase.writeException=IOException writing to {0}
-memoryUserDatabase.notPersistable=User database is not persistable - no write permissions on directory
-memoryUserDatabase.readOnly=User database has been configured to be read only. Changes cannot be saved
 memoryUserDatabase.xmlFeatureEncoding=Exception configuring digester to permit java encoding names in XML files. Only IANA encoding names will be supported.

diff --git a/java/org/apache/catalina/users/MemoryUserDatabase.java b/java/org/apache/catalina/users/MemoryUserDatabase.java
index d729714..e018681 100644 (file)
--- a/java/org/apache/catalina/users/MemoryUserDatabase.java
+++ b/java/org/apache/catalina/users/MemoryUserDatabase.java
@@ -272,6 +272,12 @@ public class MemoryUserDatabase implements UserDatabase {
      */
     public Group createGroup(String groupname, String description) {
 
+        if (groupname == null || groupname.length() == 0) {
+            String msg = sm.getString("memoryUserDatabase.nullGroup");
+            log.warn(msg);
+            throw new IllegalArgumentException(msg);
+        }
+
         MemoryGroup group = new MemoryGroup(this, groupname, description);
         synchronized (groups) {
             groups.put(group.getGroupname(), group);
@@ -289,6 +295,12 @@ public class MemoryUserDatabase implements UserDatabase {
      */
     public Role createRole(String rolename, String description) {
 
+        if (rolename == null || rolename.length() == 0) {
+            String msg = sm.getString("memoryUserDatabase.nullRole");
+            log.warn(msg);
+            throw new IllegalArgumentException(msg);
+        }
+
         MemoryRole role = new MemoryRole(this, rolename, description);
         synchronized (roles) {
             roles.put(role.getRolename(), role);
@@ -308,12 +320,17 @@ public class MemoryUserDatabase implements UserDatabase {
     public User createUser(String username, String password,
                            String fullName) {
 
+        if (username == null || username.length() == 0) {
+            String msg = sm.getString("memoryUserDatabase.nullUser");
+            log.warn(msg);
+            throw new IllegalArgumentException(msg);
+        }
+
         MemoryUser user = new MemoryUser(this, username, password, fullName);
         synchronized (users) {
             users.put(user.getUsername(), user);
         }
         return (user);
-
     }
 
 
@@ -399,13 +416,13 @@ public class MemoryUserDatabase implements UserDatabase {
                 }
                 digester.addFactoryCreate
                     ("tomcat-users/group",
-                     new MemoryGroupCreationFactory(this));
+                     new MemoryGroupCreationFactory(this), true);
                 digester.addFactoryCreate
                     ("tomcat-users/role",
-                     new MemoryRoleCreationFactory(this));
+                     new MemoryRoleCreationFactory(this), true);
                 digester.addFactoryCreate
                     ("tomcat-users/user",
-                     new MemoryUserCreationFactory(this));
+                     new MemoryUserCreationFactory(this), true);
 
                 // Parse the XML input file to load this database
                 try {

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7d2e3cb..3cdbb28 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -49,6 +49,11 @@
         <code>stderr</code> internally so users retain the option to treat the
         separately. (markt)
       </fix>
+      <add>
+        <bug>18797</bug>: Provide protection against <code>null</code> or zero
+        length names being provided for users, roles and groups in the
+        <code>MemoryRealm</code> and <code>UserDatabaseRealm</code>. (markt)
+      </add>
       <update>
         Improve fix for <bug>50205</bug> to trigger an error earlier if invalid
         configuration is used. (markt)