Bug 57027 - DigesterCredentialHandlerBase and HexUtils shall test for invalid hex characters
DigesterCredentialHandlerBase and HexUtils shall test for invalid hex characters
Status: RESOLVED FIXED
Product: Tomcat 8
Classification: Unclassified
Component: Catalina
8.0.x-trunk
PC All
: P2 normal (vote)
: ----
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2014-09-27 16:33 UTC by Konstantin Kolinko
Modified: 2014-09-29 19:25 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2014-09-27 16:33:06 UTC
This is for the current trunk, for code added after 8.0.14 release. Tomcat 8.0.14 is OK.

The recently added DigestCredentialHandlerBase.matchSaltIterationsEncoded() does the following:

byte[] salt = HexUtils.fromHexString(hexSalt);

As I mentioned in "Re: r1627000" thread on dev@, the formHexString method does not check correctness of its arguments. It shall check that

a) The string length is a multiple of 2.
b) All characters are valid hex digits.

The current code will produce bogus results is the above conditions are not true.

The DigestCredentialHandlerBase class already has facility for reporting invalid stored credentials, as controlled by its logInvalidStoredCredentials field.
Comment 1 Mark Thomas 2014-09-29 19:25:00 UTC
This has been fixed in 8.0.x for 8.0.15 onwards.