From 5c29c7b936a4187a4f9631bc45ba0730454f9d80 Mon Sep 17 00:00:00 2001 From: markt Date: Mon, 27 Jun 2011 09:27:06 +0000 Subject: [PATCH] Fix CVE-2011-2204. Prevent user passwords appearing in log files if a runtime exception (e.g. OOME) occurs while creating a new user for a MemoryUserDatabase via JMX. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1140070 13f79535-47bb-0310-9956-ffa450edef68 --- .../catalina/mbeans/MemoryUserDatabaseMBean.java | 18 ++++---- java/org/apache/catalina/users/MemoryUser.java | 50 +++++++++++++++++++++- .../apache/catalina/users/MemoryUserDatabase.java | 2 +- webapps/docs/changelog.xml | 5 +++ 4 files changed, 63 insertions(+), 12 deletions(-) diff --git a/java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java b/java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java index 33bc94fe3..4dfe7e6e0 100644 --- a/java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java +++ b/java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java @@ -173,7 +173,7 @@ public class MemoryUserDatabaseMBean extends BaseModelMBean { MBeanUtils.createMBean(group); } catch (Exception e) { IllegalArgumentException iae = new IllegalArgumentException - ("Exception creating group " + group + " MBean"); + ("Exception creating group [" + groupname + "] MBean"); iae.initCause(e); throw iae; } @@ -196,7 +196,7 @@ public class MemoryUserDatabaseMBean extends BaseModelMBean { MBeanUtils.createMBean(role); } catch (Exception e) { IllegalArgumentException iae = new IllegalArgumentException - ("Exception creating role " + role + " MBean"); + ("Exception creating role [" + rolename + "] MBean"); iae.initCause(e); throw iae; } @@ -221,7 +221,7 @@ public class MemoryUserDatabaseMBean extends BaseModelMBean { MBeanUtils.createMBean(user); } catch (Exception e) { IllegalArgumentException iae = new IllegalArgumentException - ("Exception creating user " + user + " MBean"); + ("Exception creating user [" + username + "] MBean"); iae.initCause(e); throw iae; } @@ -249,7 +249,7 @@ public class MemoryUserDatabaseMBean extends BaseModelMBean { return (oname.toString()); } catch (MalformedObjectNameException e) { IllegalArgumentException iae = new IllegalArgumentException - ("Cannot create object name for group " + group); + ("Cannot create object name for group [" + groupname + "]"); iae.initCause(e); throw iae; } @@ -276,7 +276,7 @@ public class MemoryUserDatabaseMBean extends BaseModelMBean { return (oname.toString()); } catch (MalformedObjectNameException e) { IllegalArgumentException iae = new IllegalArgumentException - ("Cannot create object name for role " + role); + ("Cannot create object name for role [" + rolename + "]"); iae.initCause(e); throw iae; } @@ -303,7 +303,7 @@ public class MemoryUserDatabaseMBean extends BaseModelMBean { return (oname.toString()); } catch (MalformedObjectNameException e) { IllegalArgumentException iae = new IllegalArgumentException - ("Cannot create object name for user " + user); + ("Cannot create object name for user [" + username + "]"); iae.initCause(e); throw iae; } @@ -328,7 +328,7 @@ public class MemoryUserDatabaseMBean extends BaseModelMBean { database.removeGroup(group); } catch (Exception e) { IllegalArgumentException iae = new IllegalArgumentException - ("Exception destroying group " + group + " MBean"); + ("Exception destroying group [" + groupname + "] MBean"); iae.initCause(e); throw iae; } @@ -353,7 +353,7 @@ public class MemoryUserDatabaseMBean extends BaseModelMBean { database.removeRole(role); } catch (Exception e) { IllegalArgumentException iae = new IllegalArgumentException - ("Exception destroying role " + role + " MBean"); + ("Exception destroying role [" + rolename + "] MBean"); iae.initCause(e); throw iae; } @@ -378,7 +378,7 @@ public class MemoryUserDatabaseMBean extends BaseModelMBean { database.removeUser(user); } catch (Exception e) { IllegalArgumentException iae = new IllegalArgumentException - ("Exception destroying user " + user + " MBean"); + ("Exception destroying user [" + username + "] MBean"); iae.initCause(e); throw iae; } diff --git a/java/org/apache/catalina/users/MemoryUser.java b/java/org/apache/catalina/users/MemoryUser.java index 9eb5927d1..ba3a9ee31 100644 --- a/java/org/apache/catalina/users/MemoryUser.java +++ b/java/org/apache/catalina/users/MemoryUser.java @@ -257,8 +257,7 @@ public class MemoryUser extends AbstractUser { * username or name for the username * property.

*/ - @Override - public String toString() { + public String toXml() { StringBuilder sb = new StringBuilder("Return a String representation of this user.

+ */ + @Override + public String toString() { + + StringBuilder sb = new StringBuilder("User username=\""); + sb.append(RequestUtil.filter(username)); + sb.append("\""); + if (fullName != null) { + sb.append(", fullName=\""); + sb.append(RequestUtil.filter(fullName)); + sb.append("\""); + } + synchronized (groups) { + if (groups.size() > 0) { + sb.append(", groups=\""); + int n = 0; + Iterator values = groups.iterator(); + while (values.hasNext()) { + if (n > 0) { + sb.append(','); + } + n++; + sb.append(RequestUtil.filter(values.next().getGroupname())); + } + sb.append("\""); + } + } + synchronized (roles) { + if (roles.size() > 0) { + sb.append(", roles=\""); + int n = 0; + Iterator values = roles.iterator(); + while (values.hasNext()) { + if (n > 0) { + sb.append(','); + } + n++; + sb.append(RequestUtil.filter(values.next().getRolename())); + } + sb.append("\""); + } + } + return (sb.toString()); + } + } diff --git a/java/org/apache/catalina/users/MemoryUserDatabase.java b/java/org/apache/catalina/users/MemoryUserDatabase.java index a81bd598a..fc72b72b6 100644 --- a/java/org/apache/catalina/users/MemoryUserDatabase.java +++ b/java/org/apache/catalina/users/MemoryUserDatabase.java @@ -585,7 +585,7 @@ public class MemoryUserDatabase implements UserDatabase { values = getUsers(); while (values.hasNext()) { writer.print(" "); - writer.println(values.next()); + writer.println(((MemoryUser) values.next()).toXml()); } // Print the file epilog diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 996179d7a..45a716eb6 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -148,6 +148,11 @@ DefaultServlet was broken due to a MIME type change for JavaScript. (funkman) + + Fix CVE-2011-2204. Prevent user passwords appearing in log files if a + runtime exception (e.g. OOME) occurs while creating a new user for a + MemoryUserDatabase via JMX. (markt) + -- 2.11.0