From 043e223837174d2e33d3e8f3bbb667ab158b2b5c Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Wed, 21 Apr 2010 22:11:29 +0000
Subject: [PATCH] Fix CVE-2010-1157. Prevent possible disclosure of host name
 or IP address via the HTTP WWW-Authenticate header when using BASIC or DIGEST
 authentication.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@936539 13f79535-47bb-0310-9956-ffa450edef68
---
 java/org/apache/catalina/authenticator/AuthenticatorBase.java   | 5 +++++
 java/org/apache/catalina/authenticator/BasicAuthenticator.java  | 4 +---
 java/org/apache/catalina/authenticator/DigestAuthenticator.java | 3 +--
 webapps/docs/realm-howto.xml                                    | 6 +++++-
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index 5caed3f34..e98dd8ef9 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -107,6 +107,11 @@ public abstract class AuthenticatorBase extends ValveBase
     protected static final String AUTH_HEADER_NAME = "WWW-Authenticate";
 
     /**
+     * Default authentication realm name.
+     */
+    protected static final String REALM_NAME = "Authentication required";
+
+    /**
      * The message digest algorithm to be used when generating session
      * identifiers.  This must be an algorithm supported by the
      * <code>java.security.MessageDigest</code> class on your platform.
diff --git a/java/org/apache/catalina/authenticator/BasicAuthenticator.java b/java/org/apache/catalina/authenticator/BasicAuthenticator.java
index 2e07d47bc..95a0a29b9 100644
--- a/java/org/apache/catalina/authenticator/BasicAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/BasicAuthenticator.java
@@ -165,9 +165,7 @@ public class BasicAuthenticator
         StringBuilder value = new StringBuilder(16);
         value.append("Basic realm=\"");
         if (config.getRealmName() == null) {
-            value.append(request.getServerName());
-            value.append(':');
-            value.append(Integer.toString(request.getServerPort()));
+            value.append(REALM_NAME);
         } else {
             value.append(config.getRealmName());
         }
diff --git a/java/org/apache/catalina/authenticator/DigestAuthenticator.java b/java/org/apache/catalina/authenticator/DigestAuthenticator.java
index c246bb195..399eef0ed 100644
--- a/java/org/apache/catalina/authenticator/DigestAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/DigestAuthenticator.java
@@ -408,8 +408,7 @@ public class DigestAuthenticator
         // Get the realm name
         String realmName = config.getRealmName();
         if (realmName == null)
-            realmName = request.getServerName() + ":"
-                + request.getServerPort();
+            realmName = REALM_NAME;
 
         byte[] buffer = null;
         synchronized (md5Helper) {
diff --git a/webapps/docs/realm-howto.xml b/webapps/docs/realm-howto.xml
index 5d2d31bf1..bb4170349 100644
--- a/webapps/docs/realm-howto.xml
+++ b/webapps/docs/realm-howto.xml
@@ -209,7 +209,11 @@ java org.apache.catalina.realm.RealmBase \
    <code>{cleartext-password}</code> must be replaced with 
    <code>{username}:{realm}:{cleartext-password}</code>. For example, in a
    development environment this might take the form
-   <code>testUser:localhost:8080:testPassword</code>.</p>
+   <code>testUser:Authentication required:testPassword</code>. The value for
+   <code>{realm}</code> is taken from the <code>&lt;realm-name&gt;</code>
+   element of the web application's <code>&lt;login-config&gt;</code>. If
+   not specified in web.xml, the default value of <code>Authentication
+   required</code> is used.</p>
 
 <p>To use either of the above techniques, the
 <code>$CATALINA_HOME/lib/catalina.jar</code> and 
-- 
2.11.0