Bug 65224

Summary: JNDIRealm doesn't escape filters containing username
Product: Tomcat 8 Reporter: ilja.farber
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: 8.5.65   
Target Milestone: ----   
Hardware: PC   
OS: Mac OS X 10.1   

Description ilja.farber 2021-04-08 14:38:11 UTC
Bug 23190 fixes similar issue. But the methods JNDIRealm.getUserBySearch() and getUserByPattern() still use unescaped filters. The already available doRFC2254Encoding() would fix the issue.

In follow use case it is even a security issue. 
Tomcat runs with LockoutRealm over JNDI Realm and only one user Hugo on configured userBase. Client can logon with Hugo/<password> as well as with H*/<password>. It works always if ldap search returns exactly one entry for the query.

Bad client can outflank the lockout configuration with
H*/<wrong_password1-5>, H**/<wrong_password6-10> etc. 

Besides of lockout troubles, I don't think, it is acceptable to allow logon for H* instead of real user Hugo.

The issue exists actually in all (current) tomcat versions.
Comment 1 Mark Thomas 2021-04-16 11:21:21 UTC
Fixed in:
- 10.0.x for 10.0.6 onwards
- 9.0.x for 9.0.46 onwards
- 8.5.x for 8.5.66 onwards
- 7.0.x for 7.0.109 onwards