|Summary:||DigesterCredentialHandlerBase and HexUtils shall test for invalid hex characters|
|Product:||Tomcat 8||Reporter:||Konstantin Kolinko <knst.kolinko>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
Description Konstantin Kolinko 2014-09-27 16:33:06 UTC
This is for the current trunk, for code added after 8.0.14 release. Tomcat 8.0.14 is OK. The recently added DigestCredentialHandlerBase.matchSaltIterationsEncoded() does the following: byte salt = HexUtils.fromHexString(hexSalt); As I mentioned in "Re: r1627000" thread on dev@, the formHexString method does not check correctness of its arguments. It shall check that a) The string length is a multiple of 2. b) All characters are valid hex digits. The current code will produce bogus results is the above conditions are not true. The DigestCredentialHandlerBase class already has facility for reporting invalid stored credentials, as controlled by its logInvalidStoredCredentials field.
Comment 1 Mark Thomas 2014-09-29 19:25:00 UTC
This has been fixed in 8.0.x for 8.0.15 onwards.