Fix CVE-2011-2204.

Prevent user passwords appearing in log files if a runtime exception (e.g. OOME) occurs while creating a new user for a MemoryUserDatabase via JMX. git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc5.5.x/trunk@1140072 13f79535-47bb-0310-9956-ffa450edef68
apache · Jun 27, 2011 · 8b81c8c · 8b81c8c
1 parent 19939d3
commit 8b81c8c
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 12 deletions.
diff --git a/container/catalina/src/share/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java b/container/catalina/src/share/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java
@@ -188,7 +188,7 @@ public String createGroup(String groupname, String description) {
             MBeanUtils.createMBean(group);
         } catch (Exception e) {
             IllegalArgumentException iae = new IllegalArgumentException
-                ("Exception creating group " + group + " MBean");
+                ("Exception creating group [" + groupname + "] MBean");
             jdkCompat.chainException(iae, e);
             throw iae;
         }
@@ -211,7 +211,7 @@ public String createRole(String rolename, String description) {
             MBeanUtils.createMBean(role);
         } catch (Exception e) {
             IllegalArgumentException iae = new IllegalArgumentException
-                ("Exception creating role " + role + " MBean");
+                ("Exception creating role [" + rolename + "] MBean");
             jdkCompat.chainException(iae, e);
             throw iae;
         }
@@ -236,7 +236,7 @@ public String createUser(String username, String password,
             MBeanUtils.createMBean(user);
         } catch (Exception e) {
             IllegalArgumentException iae = new IllegalArgumentException
-                ("Exception creating user " + user + " MBean");
+                ("Exception creating user [" + username + "] MBean");
             jdkCompat.chainException(iae, e);
             throw iae;
         }
@@ -264,7 +264,7 @@ public String findGroup(String groupname) {
             return (oname.toString());
         } catch (MalformedObjectNameException e) {
             IllegalArgumentException iae = new IllegalArgumentException
-                ("Cannot create object name for group " + group);
+                ("Cannot create object name for group [" + groupname + "]");
             jdkCompat.chainException(iae, e);
             throw iae;
         }
@@ -291,7 +291,7 @@ public String findRole(String rolename) {
             return (oname.toString());
         } catch (MalformedObjectNameException e) {
             IllegalArgumentException iae = new IllegalArgumentException
-                ("Cannot create object name for role " + role);
+                ("Cannot create object name for role [" + rolename + "]");
             jdkCompat.chainException(iae, e);
             throw iae;
         }
@@ -318,7 +318,7 @@ public String findUser(String username) {
             return (oname.toString());
         } catch (MalformedObjectNameException e) {
             IllegalArgumentException iae = new IllegalArgumentException
-                ("Cannot create object name for user " + user);
+                ("Cannot create object name for user [" + username + "]");
             jdkCompat.chainException(iae, e);
             throw iae;
         }
@@ -343,7 +343,7 @@ public void removeGroup(String groupname) {
             database.removeGroup(group);
         } catch (Exception e) {
             IllegalArgumentException iae = new IllegalArgumentException
-                ("Exception destroying group " + group + " MBean");
+                ("Exception destroying group [" + groupname + "] MBean");
             jdkCompat.chainException(iae, e);
             throw iae;
         }
@@ -368,7 +368,7 @@ public void removeRole(String rolename) {
             database.removeRole(role);
         } catch (Exception e) {
             IllegalArgumentException iae = new IllegalArgumentException
-                ("Exception destroying role " + role + " MBean");
+                ("Exception destroying role [" + rolename + "] MBean");
             jdkCompat.chainException(iae, e);
             throw iae;
         }
@@ -393,7 +393,7 @@ public void removeUser(String username) {
             database.removeUser(user);
         } catch (Exception e) {
             IllegalArgumentException iae = new IllegalArgumentException
-                ("Exception destroying user " + user + " MBean");
+                ("Exception destroying user [" + username + "] MBean");
             jdkCompat.chainException(iae, e);
             throw iae;
         }

diff --git a/container/catalina/src/share/org/apache/catalina/users/MemoryUser.java b/container/catalina/src/share/org/apache/catalina/users/MemoryUser.java
@@ -246,7 +246,7 @@ public void removeRoles() {
      * <code>username</code> or </code>name</code> for the username
      * property.</p>
      */
-    public String toString() {
+    public String toXml() {
 
         StringBuffer sb = new StringBuffer("<user username=\"");
         sb.append(RequestUtil.filter(username));
@@ -293,5 +293,53 @@ public String toString() {
 
     }
 
+    /**
+     * <p>Return a String representation of this user.</p>
+     */
+    public String toString() {
+
+        StringBuffer sb = new StringBuffer("User username=\"");
+        sb.append(RequestUtil.filter(username));
+        sb.append("\"");
+        if (fullName != null) {
+            sb.append(", fullName=\"");
+            sb.append(RequestUtil.filter(fullName));
+            sb.append("\"");
+        }
+        synchronized (groups) {
+            if (groups.size() > 0) {
+                sb.append(", groups=\"");
+                int n = 0;
+                Iterator values = groups.iterator();
+                while (values.hasNext()) {
+                    if (n > 0) {
+                        sb.append(',');
+                    }
+                    n++;
+                    sb.append(RequestUtil.filter(
+                            ((Group)values.next()).getGroupname()));
+                }
+                sb.append("\"");
+            }
+        }
+        synchronized (roles) {
+            if (roles.size() > 0) {
+                sb.append(", roles=\"");
+                int n = 0;
+                Iterator values = roles.iterator();
+                while (values.hasNext()) {
+                    if (n > 0) {
+                        sb.append(',');
+                    }
+                    n++;
+                    sb.append(RequestUtil.filter(
+                            ((Role)values.next()).getRolename()));
+                }
+                sb.append("\"");
+            }
+        }
+        return (sb.toString());
+    }
+
 
 }
diff --git a/container/catalina/src/share/org/apache/catalina/users/MemoryUserDatabase.java b/container/catalina/src/share/org/apache/catalina/users/MemoryUserDatabase.java
@@ -541,7 +541,7 @@ public void save() throws Exception {
             values = getUsers();
             while (values.hasNext()) {
                 writer.print("  ");
-                writer.println(values.next());
+                writer.println(((MemoryUser) values.next()).toXml());
             }
 
             // Print the file epilog

diff --git a/container/webapps/docs/changelog.xml b/container/webapps/docs/changelog.xml
@@ -55,7 +55,11 @@
         response, prevent further reads from the request since this causes
         various problems in the connectors which do not expect this. (markt)
       </fix>
-    </changelog>
+      <fix>
+        Fix CVE-2011-2204. Prevent user passwords appearing in log files if a
+        runtime exception (e.g. OOME) occurs while creating a new user for a
+        MemoryUserDatabase via JMX. (markt)
+      </fix>    </changelog>
   </subsection>
   <subsection name="Webapps">
     <changelog>