From 85b8ea994ff7d11191bbd262bf8a5c5c50449f12 Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Mon, 9 Nov 2009 13:04:52 +0000
Subject: [PATCH] Fix CVE-2009-3548. When installing using defaults, don't
 create an administrative user with a blank password Note: This is already
 public - it was discussed on the users list. The formal announcement will go
 out shortly. The patch also includes making the Manager and Host-Manager
 applications separately selectable with the addition of an administrative
 user only enabled if one of the manager apps is selected

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@834047 13f79535-47bb-0310-9956-ffa450edef68
---
 res/tomcat.nsi | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 60 insertions(+), 7 deletions(-)

diff --git a/res/tomcat.nsi b/res/tomcat.nsi
index da90b8d2c..25ebd9850 100644
--- a/res/tomcat.nsi
+++ b/res/tomcat.nsi
@@ -98,7 +98,9 @@ ${StrRep}
     LangString DESC_SecTomcatNative ${LANG_ENGLISH} "Install APR based Tomcat native .dll for better performance and scalability in production environments."
     LangString DESC_SecMenu ${LANG_ENGLISH} "Create a Start Menu program group for Tomcat."
     LangString DESC_SecDocs ${LANG_ENGLISH} "Install the Tomcat documentation bundle. This include documentation on the servlet container and its configuration options, on the Jasper JSP page compiler, as well as on the native webserver connectors."
-    LangString DESC_SecExamples ${LANG_ENGLISH} "Installs some examples web applications."
+    LangString DESC_SecManager ${LANG_ENGLISH} "Install the Tomcat Manager administrative web application."
+    LangString DESC_SecHostManager ${LANG_ENGLISH} "Install the Tomcat Host Manager administrative web application."
+    LangString DESC_SecExamples ${LANG_ENGLISH} "Install the Servlet and JSP example web applications."
 
   ;Language
   !insertmacro MUI_LANGUAGE English
@@ -149,10 +151,6 @@ Section "Core" SecTomcatCore
   File conf\*.*
   SetOutPath $INSTDIR\webapps\ROOT
   File /r webapps\ROOT\*.*
-  SetOutPath $INSTDIR\webapps\host-manager
-  File /r webapps\host-manager\*.*
-  SetOutPath $INSTDIR\webapps\manager
-  File /r webapps\manager\*.*
 
   Call configure
   Call findJavaPath
@@ -292,6 +290,26 @@ Section "Documentation" SecDocs
 
 SectionEnd
 
+Section "Manager" SecManager
+
+  SectionIn 1 3
+
+  SetOverwrite on
+  SetOutPath $INSTDIR\webapps\manager
+  File /r webapps\manager\*.*
+
+SectionEnd
+
+Section "Host Manager" SecHostManager
+
+  SectionIn 3
+
+  SetOverwrite on
+  SetOutPath $INSTDIR\webapps\host-manager
+  File /r webapps\host-manager\*.*
+
+SectionEnd
+
 Section "Examples" SecExamples
 
   SectionIn 3
@@ -339,7 +357,38 @@ FunctionEnd
 
 Function SetConfiguration
   !insertmacro MUI_HEADER_TEXT "$(TEXT_CONF_TITLE)" "$(TEXT_CONF_SUBTITLE)"
+
+  SectionGetFlags ${SecManager} $0
+  IntOp $0 $0 & ${SF_SELECTED}
+  IntCmp $0 0 0 Enable Enable
+  SectionGetFlags ${SecHostManager} $0
+  IntOp $0 $0 & ${SF_SELECTED}
+  IntCmp $0 0 Disable 0 0
+
+Enable:
+  ; Enable the user and password controls if the manager or host-manager app is
+  ; being installed
+  !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 5" "HWND"
+  !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 5" "Flags" ""
+  EnableWindow $0 1
+  !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 7" "HWND"
+  !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 7" "Flags" ""
+  EnableWindow $0 1
+  Goto Display
+
+Disable:
+  ; Disable the user and password controls if neither the manager nor
+  ; host-manager app is being installed
+  !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 5" "HWND"
+  !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 5" "Flags" "DISABLED"
+  EnableWindow $0 0
+  !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 7" "HWND"
+  !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 7" "Flags" "DISABLED"
+  EnableWindow $0 0
+
+Display:
   !insertmacro MUI_INSTALLOPTIONS_DISPLAY "config.ini"
+
 FunctionEnd
 
 Function Void
@@ -355,6 +404,8 @@ FunctionEnd
   !insertmacro MUI_DESCRIPTION_TEXT ${SecTomcatNative} $(DESC_SecTomcatNative)
   !insertmacro MUI_DESCRIPTION_TEXT ${SecMenu} $(DESC_SecMenu)
   !insertmacro MUI_DESCRIPTION_TEXT ${SecDocs} $(DESC_SecDocs)
+  !insertmacro MUI_DESCRIPTION_TEXT ${SecManager} $(DESC_SecManager)
+  !insertmacro MUI_DESCRIPTION_TEXT ${SecHostManager} $(DESC_SecHostManager)
   !insertmacro MUI_DESCRIPTION_TEXT ${SecExamples} $(DESC_SecExamples)
 !insertmacro MUI_FUNCTION_DESCRIPTION_END
 
@@ -556,11 +607,13 @@ Function configure
   Call xmlEscape
   Pop $R2
   
+  StrCmp $R1 "" +4 0  ; Blank user - do not add anything to tomcat-users.xml
+  StrCmp $R2 "" +3 0  ; Blank password - do not add anything to tomcat-users.xml
   StrCpy $R5 '<user name="$R1" password="$R2" roles="admin,manager" />'
-
+  DetailPrint 'Admin user added: "$R1"'
+  
 Silent:
   DetailPrint 'HTTP/1.1 Connector configured on port "$R0"'
-  DetailPrint 'Admin user added: "$R1"'
 
   SetOutPath $TEMP
   File /r confinstall
-- 
2.11.0