File tomcat-8.0.32-CVE-2016-0762.patch of Package tomcat.4188
Index: java/org/apache/catalina/realm/JDBCRealm.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/catalina/realm/JDBCRealm.java (date 1454441552000)
+++ java/org/apache/catalina/realm/JDBCRealm.java (revision )
@@ -389,6 +389,9 @@
String dbCredentials = getPassword(username);
if (dbCredentials == null) {
+ // User was not found in the database.
+ // Waste a bit of time as not to reveal that the user does not exist.
+ getCredentialHandler().mutate(credentials);
if (containerLog.isTraceEnabled())
containerLog.trace(sm.getString("jdbcRealm.authenticateFailure",
username));
Index: java/org/apache/catalina/realm/MemoryRealm.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/catalina/realm/MemoryRealm.java (date 1454441552000)
+++ java/org/apache/catalina/realm/MemoryRealm.java (revision )
@@ -120,6 +120,10 @@
validated = false;
} else {
if (credentials == null || principal.getPassword() == null) {
+ // User was not found in the database or the password was null
+ // Waste a bit of time as not to reveal that the user does not exist.
+ getCredentialHandler().mutate(credentials);
+
if (log.isDebugEnabled())
log.debug(sm.getString("memoryRealm.authenticateFailure", username));
return (null);
Index: java/org/apache/catalina/realm/DataSourceRealm.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/catalina/realm/DataSourceRealm.java (date 1454441552000)
+++ java/org/apache/catalina/realm/DataSourceRealm.java (revision )
@@ -293,10 +293,23 @@
protected Principal authenticate(Connection dbConnection,
String username,
String credentials) {
+ // No user or no credentials
+ // Can't possibly authenticate, don't bother the database then
+ if (username == null || credentials == null) {
+ if (containerLog.isTraceEnabled())
+ containerLog.trace(sm.getString("dataSourceRealm.authenticateFailure",
+ username));
+ return null;
+ }
-
+
+
String dbCredentials = getPassword(dbConnection, username);
- if (credentials == null || dbCredentials == null) {
+ if (dbCredentials == null) {
+ // User was not found in the database.
+ // Waste a bit of time as not to reveal that the user does not exist.
+ getCredentialHandler().mutate(credentials);
+
if (containerLog.isTraceEnabled())
containerLog.trace(
sm.getString("dataSourceRealm.authenticateFailure",
Index: java/org/apache/catalina/realm/RealmBase.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/catalina/realm/RealmBase.java (date 1454441552000)
+++ java/org/apache/catalina/realm/RealmBase.java (revision )
@@ -449,6 +449,18 @@
String serverCredentials = getPassword(username);
+ if (serverCredentials == null) {
+ // User was not found
+ // Waste a bit of time as not to reveal that the user does not exist.
+ getCredentialHandler().mutate(credentials);
+
+ if (containerLog.isTraceEnabled()) {
+ containerLog.trace(sm.getString("realmBase.authenticateFailure",
+ username));
+ }
+ return null;
+ }
+
boolean validated = getCredentialHandler().matches(credentials, serverCredentials);
if (!validated) {
if (containerLog.isTraceEnabled()) {
