----- Original Message -----
From: "Mark Thomas" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 04, 2003 11:46 AM
Subject: [PATCH] Bug 22715
> Resending. I seem to be having e-mail problems...
>
> The patches below (TC5 and TC4) fix bug 22715 in that they ensure that xml
> entities are correctly written back out to the password field of
> tomcat-users.xml
>
> I did consider a more general patch to allow xml entities in user names,
group
> names and role names but wasn't sure of the potential side effects. I also
> think that users are far more likely to want to use these characters in
> passwords than in user names, group names or role names. Thoughts? If the
> general consensus is that a more general patch is required, I am happy to
> produce one.
>
Depending on how/if UDBR wants to support CLIENT-CERT auth, you'll likely
need to escape the user name as well (the full X509 Subject may contain
embedded " characters in it).
> Mark
>
>
> Index: catalina/src/share/org/apache/catalina/users/MemoryUser.java
> ===================================================================
> RCS file:
>
/home/cvspublic/jakarta-tomcat-catalina/catalina/src/share/org/apache/catali
> na/users/MemoryUser.java,v
> retrieving revision 1.2
> diff -u -r1.2 MemoryUser.java
> --- catalina/src/share/org/apache/catalina/users/MemoryUser.java 2 Sep
2003
> 21:22:03 -0000 1.2
> +++ catalina/src/share/org/apache/catalina/users/MemoryUser.java 3 Sep
2003
> 23:01:54 -0000
> @@ -70,6 +70,7 @@
> import org.apache.catalina.Group;
> import org.apache.catalina.Role;
> import org.apache.catalina.UserDatabase;
> +import org.apache.catalina.util.RequestUtil;
>
>
> /**
> @@ -296,7 +297,7 @@
> StringBuffer sb = new StringBuffer("<user username=\"");
> sb.append(username);
> sb.append("\" password=\"");
> - sb.append(password);
> + sb.append(RequestUtil.filter(password));
> sb.append("\"");
> if (fullName != null) {
> sb.append(" fullName=\"");
>
>
>
> Index: catalina/src/share/org/apache/catalina/users/MemoryUser.java
> ===================================================================
> RCS file:
>
/home/cvspublic/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/us
> ers/MemoryUser.java,v
> retrieving revision 1.5
> diff -u -r1.5 MemoryUser.java
> --- catalina/src/share/org/apache/catalina/users/MemoryUser.java 10 Feb
2002
> 08:06:20 -0000 1.5
> +++ catalina/src/share/org/apache/catalina/users/MemoryUser.java 3 Sep
2003
> 22:45:49 -0000
> @@ -68,8 +68,8 @@
> import java.util.Iterator;
> import org.apache.catalina.Group;
> import org.apache.catalina.Role;
> -import org.apache.catalina.User;
> import org.apache.catalina.UserDatabase;
> +import org.apache.catalina.util.RequestUtil;
>
>
> /**
> @@ -296,7 +296,7 @@
> StringBuffer sb = new StringBuffer("<user username=\"");
> sb.append(username);
> sb.append("\" password=\"");
> - sb.append(password);
> + sb.append(RequestUtil.filter(password));
> sb.append("\"");
> if (fullName != null) {
> sb.append(" fullName=\"");
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
This message is intended only for the use of the person(s) listed above as the
intended recipient(s), and may contain information that is PRIVILEGED and
CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or
distribute this message or any attachment. If you received this communication in
error, please notify us immediately by e-mail and then delete all copies of this
message and any attachments.
In addition you should be aware that ordinary (unencrypted) e-mail sent through the
Internet is not secure. Do not send confidential or sensitive information, such as
social security numbers, account numbers, personal identification numbers and
passwords, to us via ordinary (unencrypted) e-mail.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
