diff --git a/container/catalina/src/share/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java b/container/catalina/src/share/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java
index 21726520..c4f161b6 100644
--- a/container/catalina/src/share/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java
+++ b/container/catalina/src/share/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java
@@ -188,7 +188,7 @@ public String createGroup(String groupname, String description) {
MBeanUtils.createMBean(group);
} catch (Exception e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Exception creating group " + group + " MBean");
+ ("Exception creating group [" + groupname + "] MBean");
jdkCompat.chainException(iae, e);
throw iae;
}
@@ -211,7 +211,7 @@ public String createRole(String rolename, String description) {
MBeanUtils.createMBean(role);
} catch (Exception e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Exception creating role " + role + " MBean");
+ ("Exception creating role [" + rolename + "] MBean");
jdkCompat.chainException(iae, e);
throw iae;
}
@@ -236,7 +236,7 @@ public String createUser(String username, String password,
MBeanUtils.createMBean(user);
} catch (Exception e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Exception creating user " + user + " MBean");
+ ("Exception creating user [" + username + "] MBean");
jdkCompat.chainException(iae, e);
throw iae;
}
@@ -264,7 +264,7 @@ public String findGroup(String groupname) {
return (oname.toString());
} catch (MalformedObjectNameException e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Cannot create object name for group " + group);
+ ("Cannot create object name for group [" + groupname + "]");
jdkCompat.chainException(iae, e);
throw iae;
}
@@ -291,7 +291,7 @@ public String findRole(String rolename) {
return (oname.toString());
} catch (MalformedObjectNameException e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Cannot create object name for role " + role);
+ ("Cannot create object name for role [" + rolename + "]");
jdkCompat.chainException(iae, e);
throw iae;
}
@@ -318,7 +318,7 @@ public String findUser(String username) {
return (oname.toString());
} catch (MalformedObjectNameException e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Cannot create object name for user " + user);
+ ("Cannot create object name for user [" + username + "]");
jdkCompat.chainException(iae, e);
throw iae;
}
@@ -343,7 +343,7 @@ public void removeGroup(String groupname) {
database.removeGroup(group);
} catch (Exception e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Exception destroying group " + group + " MBean");
+ ("Exception destroying group [" + groupname + "] MBean");
jdkCompat.chainException(iae, e);
throw iae;
}
@@ -368,7 +368,7 @@ public void removeRole(String rolename) {
database.removeRole(role);
} catch (Exception e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Exception destroying role " + role + " MBean");
+ ("Exception destroying role [" + rolename + "] MBean");
jdkCompat.chainException(iae, e);
throw iae;
}
@@ -393,7 +393,7 @@ public void removeUser(String username) {
database.removeUser(user);
} catch (Exception e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Exception destroying user " + user + " MBean");
+ ("Exception destroying user [" + username + "] MBean");
jdkCompat.chainException(iae, e);
throw iae;
}
diff --git a/container/catalina/src/share/org/apache/catalina/users/MemoryUser.java b/container/catalina/src/share/org/apache/catalina/users/MemoryUser.java
index f3f8470a..e41af480 100644
--- a/container/catalina/src/share/org/apache/catalina/users/MemoryUser.java
+++ b/container/catalina/src/share/org/apache/catalina/users/MemoryUser.java
@@ -246,7 +246,7 @@ public void removeRoles() {
* username or name for the username
* property.
*/
- public String toString() {
+ public String toXml() {
StringBuffer sb = new StringBuffer("Return a String representation of this user.
+ */
+ public String toString() {
+
+ StringBuffer sb = new StringBuffer("User username=\"");
+ sb.append(RequestUtil.filter(username));
+ sb.append("\"");
+ if (fullName != null) {
+ sb.append(", fullName=\"");
+ sb.append(RequestUtil.filter(fullName));
+ sb.append("\"");
+ }
+ synchronized (groups) {
+ if (groups.size() > 0) {
+ sb.append(", groups=\"");
+ int n = 0;
+ Iterator values = groups.iterator();
+ while (values.hasNext()) {
+ if (n > 0) {
+ sb.append(',');
+ }
+ n++;
+ sb.append(RequestUtil.filter(
+ ((Group)values.next()).getGroupname()));
+ }
+ sb.append("\"");
+ }
+ }
+ synchronized (roles) {
+ if (roles.size() > 0) {
+ sb.append(", roles=\"");
+ int n = 0;
+ Iterator values = roles.iterator();
+ while (values.hasNext()) {
+ if (n > 0) {
+ sb.append(',');
+ }
+ n++;
+ sb.append(RequestUtil.filter(
+ ((Role)values.next()).getRolename()));
+ }
+ sb.append("\"");
+ }
+ }
+ return (sb.toString());
+ }
+
}
diff --git a/container/catalina/src/share/org/apache/catalina/users/MemoryUserDatabase.java b/container/catalina/src/share/org/apache/catalina/users/MemoryUserDatabase.java
index db4a3533..7e60a16a 100644
--- a/container/catalina/src/share/org/apache/catalina/users/MemoryUserDatabase.java
+++ b/container/catalina/src/share/org/apache/catalina/users/MemoryUserDatabase.java
@@ -541,7 +541,7 @@ public void save() throws Exception {
values = getUsers();
while (values.hasNext()) {
writer.print(" ");
- writer.println(values.next());
+ writer.println(((MemoryUser) values.next()).toXml());
}
// Print the file epilog
diff --git a/container/webapps/docs/changelog.xml b/container/webapps/docs/changelog.xml
index 7dff2ad1..516d5a07 100644
--- a/container/webapps/docs/changelog.xml
+++ b/container/webapps/docs/changelog.xml
@@ -55,7 +55,11 @@
response, prevent further reads from the request since this causes
various problems in the connectors which do not expect this. (markt)
-
+
+ Fix CVE-2011-2204. Prevent user passwords appearing in log files if a
+ runtime exception (e.g. OOME) occurs while creating a new user for a
+ MemoryUserDatabase via JMX. (markt)
+