Bug 65224 - JNDIRealm doesn't escape filters containing username
Summary: JNDIRealm doesn't escape filters containing username
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.65
Hardware: PC Mac OS X 10.1
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2021-04-08 14:38 UTC by ilja.farber
Modified: 2021-04-16 11:21 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description ilja.farber 2021-04-08 14:38:11 UTC
Bug 23190 fixes similar issue. But the methods JNDIRealm.getUserBySearch() and getUserByPattern() still use unescaped filters. The already available doRFC2254Encoding() would fix the issue.

In follow use case it is even a security issue. 
Tomcat runs with LockoutRealm over JNDI Realm and only one user Hugo on configured userBase. Client can logon with Hugo/<password> as well as with H*/<password>. It works always if ldap search returns exactly one entry for the query.

Bad client can outflank the lockout configuration with
H*/<wrong_password1-5>, H**/<wrong_password6-10> etc. 

Besides of lockout troubles, I don't think, it is acceptable to allow logon for H* instead of real user Hugo.

The issue exists actually in all (current) tomcat versions.
Comment 1 Mark Thomas 2021-04-16 11:21:21 UTC
Fixed in:
- 10.0.x for 10.0.6 onwards
- 9.0.x for 9.0.46 onwards
- 8.5.x for 8.5.66 onwards
- 7.0.x for 7.0.109 onwards