From 727f9c5571c6686637c3b663969c085053d5cbc9 Mon Sep 17 00:00:00 2001 From: markt Date: Wed, 9 Mar 2011 11:16:48 +0000 Subject: [PATCH] CVE-2011-1088 Complete the fix for this issue. The optimisation not to configure an authenticator of there were no security constraints meant that in that case @ServletSecurity annotations had no effect. The unit tests did not pick this up since they added an authenticator directly. Add an explicit unit test for this scenario. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1079752 13f79535-47bb-0310-9956-ffa450edef68 --- .../org/apache/catalina/startup/ContextConfig.java | 5 +-- .../apache/catalina/core/TestStandardWrapper.java | 18 ++++++++ test/webapp-3.0-servletsecurity/WEB-INF/web.xml | 48 ++++++++++++++++++++++ webapps/docs/changelog.xml | 12 ++++-- 4 files changed, 75 insertions(+), 8 deletions(-) create mode 100644 test/webapp-3.0-servletsecurity/WEB-INF/web.xml diff --git a/java/org/apache/catalina/startup/ContextConfig.java b/java/org/apache/catalina/startup/ContextConfig.java index ee5636065..04c702273 100644 --- a/java/org/apache/catalina/startup/ContextConfig.java +++ b/java/org/apache/catalina/startup/ContextConfig.java @@ -366,10 +366,7 @@ public class ContextConfig */ protected synchronized void authenticatorConfig() { - // Does this Context require an Authenticator? - SecurityConstraint constraints[] = context.findConstraints(); - if ((constraints == null) || (constraints.length == 0)) - return; + // Always need an authenticator to support @ServletSecurity annotations LoginConfig loginConfig = context.getLoginConfig(); if (loginConfig == null) { loginConfig = DUMMY_LOGIN_CONFIG; diff --git a/test/org/apache/catalina/core/TestStandardWrapper.java b/test/org/apache/catalina/core/TestStandardWrapper.java index 89a09da64..1fc79cf25 100644 --- a/test/org/apache/catalina/core/TestStandardWrapper.java +++ b/test/org/apache/catalina/core/TestStandardWrapper.java @@ -125,6 +125,24 @@ public class TestStandardWrapper extends TomcatBaseTest { doTestSecurityAnnotationsAddServlet(true); } + public void testSecurityAnnotationsNoWebXmlConstraints() throws Exception { + // Setup Tomcat instance + Tomcat tomcat = getTomcatInstance(); + + File appDir = new File("test/webapp-3.0-servletsecurity"); + tomcat.addWebapp(null, "", appDir.getAbsolutePath()); + + tomcat.start(); + + ByteChunk bc = new ByteChunk(); + int rc; + rc = getUrl("http://localhost:" + getPort() + "/", + bc, null, null); + + assertNull(bc.toString()); + assertEquals(403, rc); + } + private void doTestSecurityAnnotationsAddServlet(boolean useCreateServlet) throws Exception { diff --git a/test/webapp-3.0-servletsecurity/WEB-INF/web.xml b/test/webapp-3.0-servletsecurity/WEB-INF/web.xml new file mode 100644 index 000000000..34a1c2cbe --- /dev/null +++ b/test/webapp-3.0-servletsecurity/WEB-INF/web.xml @@ -0,0 +1,48 @@ + + + + + + + Tomcat Test Application + + Used as part of the Tomcat unit tests when a full web application is + required. + + + + RoleProtected + org.apache.catalina.core.TestStandardWrapper$RoleAllowServlet + + + + RoleProtected + / + + + \ No newline at end of file diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 774149466..e49667372 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -45,6 +45,10 @@
+ + CVE-2011-1088: Completed fix. Don't ignore @ServletSecurity + annotations. (markt) + 25060: Close Apache Commons DBCP datasources when the associated JNDI naming context is stopped (e.g. for a non-global @@ -88,6 +92,10 @@ + CVE-2011-1088: Partial fix. Don't ignore @ServletSecurity + annotations. (markt) + + 27988: Improve reporting of missing files. (markt) @@ -103,10 +111,6 @@ Improve shut down speed by not renewing threads during shut down when the ThreadLocalLeakPreventionListener is enabled. (markt) - - CVE-2011-1088: Partial fix. Don't ignore @ServletSecurity - annotations. (markt) - -- 2.11.0