File apache-tomcat-CVE-2010-1157.patch of Package tomcat6
Index: tomcat6-6.0.18/apache-tomcat-6.0.18-src/java/org/apache/catalina/authenticator/AuthenticatorBase.java
===================================================================
--- tomcat6-6.0.18/apache-tomcat-6.0.18-src/java/org/apache/catalina/authenticator/AuthenticatorBase.java (revision 936539)
+++ tomcat6-6.0.18/apache-tomcat-6.0.18-src/java/org/apache/catalina/authenticator/AuthenticatorBase.java (revision 936540)
@@ -99,6 +99,11 @@
/**
+ * Default authentication realm name.
+ */
+ protected static final String REALM_NAME = "Authentication required";
+
+ /**
* The message digest algorithm to be used when generating session
* identifiers. This must be an algorithm supported by the
* <code>java.security.MessageDigest</code> class on your platform.
Index: tomcat6-6.0.18/apache-tomcat-6.0.18-src/java/org/apache/catalina/authenticator/DigestAuthenticator.java
===================================================================
--- tomcat6-6.0.18/apache-tomcat-6.0.18-src/java/org/apache/catalina/authenticator/DigestAuthenticator.java (revision 936539)
+++ tomcat6-6.0.18/apache-tomcat-6.0.18-src/java/org/apache/catalina/authenticator/DigestAuthenticator.java (revision 936540)
@@ -406,8 +406,7 @@
// Get the realm name
String realmName = config.getRealmName();
if (realmName == null)
- realmName = request.getServerName() + ":"
- + request.getServerPort();
+ realmName = REALM_NAME;
byte[] buffer = null;
synchronized (md5Helper) {
Index: tomcat6-6.0.18/apache-tomcat-6.0.18-src/java/org/apache/catalina/authenticator/BasicAuthenticator.java
===================================================================
--- tomcat6-6.0.18/apache-tomcat-6.0.18-src/java/org/apache/catalina/authenticator/BasicAuthenticator.java (revision 936539)
+++ tomcat6-6.0.18/apache-tomcat-6.0.18-src/java/org/apache/catalina/authenticator/BasicAuthenticator.java (revision 936540)
@@ -194,9 +194,7 @@
CharChunk authenticateCC = authenticate.getCharChunk();
authenticateCC.append("Basic realm=\"");
if (config.getRealmName() == null) {
- authenticateCC.append(request.getServerName());
- authenticateCC.append(':');
- authenticateCC.append(Integer.toString(request.getServerPort()));
+ authenticateCC.append(REALM_NAME);
} else {
authenticateCC.append(config.getRealmName());
}
Index: tomcat6-6.0.18/apache-tomcat-6.0.18-src/webapps/docs/realm-howto.xml
===================================================================
--- tomcat6-6.0.18/apache-tomcat-6.0.18-src/webapps/docs/realm-howto.xml (revision 936539)
+++ tomcat6-6.0.18/apache-tomcat-6.0.18-src/webapps/docs/realm-howto.xml (revision 936540)
@@ -209,7 +209,11 @@
<code>{cleartext-password}</code> must be replaced with
<code>{username}:{realm}:{cleartext-password}</code>. For example, in a
development environment this might take the form
- <code>testUser:localhost:8080:testPassword</code>.</p>
+ <code>testUser:Authentication required:testPassword</code>. The value for
+ <code>{realm}</code> is taken from the <code><realm-name></code>
+ element of the web application's <code><login-config></code>. If
+ not specified in web.xml, the default value of <code>Authentication
+ required</code> is used.</p>
<p>To use either of the above techniques, the
<code>$CATALINA_HOME/lib/catalina.jar</code> and
