Bug 57027

Summary: DigesterCredentialHandlerBase and HexUtils shall test for invalid hex characters
Product: Tomcat 8 Reporter: Konstantin Kolinko <knst.kolinko>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: 8.0.x-trunk   
Target Milestone: ----   
Hardware: PC   
OS: All   

Description Konstantin Kolinko 2014-09-27 16:33:06 UTC
This is for the current trunk, for code added after 8.0.14 release. Tomcat 8.0.14 is OK.

The recently added DigestCredentialHandlerBase.matchSaltIterationsEncoded() does the following:

byte[] salt = HexUtils.fromHexString(hexSalt);

As I mentioned in "Re: r1627000" thread on dev@, the formHexString method does not check correctness of its arguments. It shall check that

a) The string length is a multiple of 2.
b) All characters are valid hex digits.

The current code will produce bogus results is the above conditions are not true.

The DigestCredentialHandlerBase class already has facility for reporting invalid stored credentials, as controlled by its logInvalidStoredCredentials field.
Comment 1 Mark Thomas 2014-09-29 19:25:00 UTC
This has been fixed in 8.0.x for 8.0.15 onwards.