57027 – DigesterCredentialHandlerBase and HexUtils shall test for invalid hex characters

Bug 57027 - DigesterCredentialHandlerBase and HexUtils shall test for invalid hex characters

Summary: DigesterCredentialHandlerBase and HexUtils shall test for invalid hex characters

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 8
Classification:	Unclassified
Component:	Catalina (show other bugs)
Version:	8.0.x-trunk
Hardware:	PC All

Importance:	P2 normal (vote)
Target Milestone:	----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-09-27 16:33 UTC by Konstantin Kolinko
Modified:	2014-09-29 19:25 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Konstantin Kolinko 2014-09-27 16:33:06 UTC

This is for the current trunk, for code added after 8.0.14 release. Tomcat 8.0.14 is OK.

The recently added DigestCredentialHandlerBase.matchSaltIterationsEncoded() does the following:

byte[] salt = HexUtils.fromHexString(hexSalt);

As I mentioned in "Re: r1627000" thread on dev@, the formHexString method does not check correctness of its arguments. It shall check that

a) The string length is a multiple of 2.
b) All characters are valid hex digits.

The current code will produce bogus results is the above conditions are not true.

The DigestCredentialHandlerBase class already has facility for reporting invalid stored credentials, as controlled by its logInvalidStoredCredentials field.

Comment 1 Mark Thomas 2014-09-29 19:25:00 UTC

This has been fixed in 8.0.x for 8.0.15 onwards.