I thought about that too, I'm pretty sure that the strings get trimmed elsewhere in the code. I tested it with usernames and passwords that contained nothing but spaces and they were trimmed.
Jon ----- Original Message ----- From: "Arshad Mahmood" <[EMAIL PROTECTED]> To: "Tomcat Developers List" <[EMAIL PROTECTED]> Sent: Tuesday, June 11, 2002 10:51 AM Subject: Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JNDIRealm.java > I don't anything about this fix, but shouldn't you include a trim() before > checking for a blank username/credential also? > > Regards. > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, June 11, 2002 4:32 PM > Subject: cvs commit: > jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm > JNDIRealm.java > > > > remm 2002/06/11 08:32:28 > > > > Modified: catalina/src/share/org/apache/catalina/realm JNDIRealm.java > > Log: > > - Fix a security problem with the JNDI realm, where blank passwords > could be > > used to authenticate. > > - As a result, blank passwords are not allowed with the JNDI realm > anymore. > > - Bugzilla 9700. > > - The fix will be in 4.1.5. > > - Patch submitted by <jemiller at uchicago.edu> > > and John Holman <mailto:j.g.holman at qmul.ac.uk> > > > > Revision Changes Path > > 1.8 +6 -5 > jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.ja > va > > > > Index: JNDIRealm.java > > =================================================================== > > RCS file: > /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JN > DIRealm.java,v > > retrieving revision 1.7 > > retrieving revision 1.8 > > diff -u -r1.7 -r1.8 > > --- JNDIRealm.java 9 Jun 2002 02:19:43 -0000 1.7 > > +++ JNDIRealm.java 11 Jun 2002 15:32:28 -0000 1.8 > > @@ -716,7 +716,8 @@ > > String credentials) > > throws NamingException { > > > > - if (username == null || credentials == null) > > + if (username == null || username.equals("") > > + || credentials == null || credentials.equals("")) > > return (null); > > > > // Retrieve user information > > > > > > > > > > -- > > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
