-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rémy,
On 6/4/2009 1:04 PM, Rémy Maucherat wrote: > On Thu, Jun 4, 2009 at 6:48 PM, Christopher Schultz > <ch...@christopherschultz.net> wrote: >> I don't see any information disclosure vulnerability in the first place, >> and I don't see how your patch would have fixed it. >> >> ??! > > The behavior was different if the user is not found of if the password is > wrong. > (ok, the security issue is not exactly very serious) To be sure, this is not very serious, but this method should return null in all cases except for successful authentication. Under what conditions would something non-null be returned if the authentication wasn't successful? I don't think an exception would be thrown, either, would it? On 6/4/2009 2:06 PM, Len Popp wrote: > It looks to me like the change fixes an NPE when a null or nonsense > password is given. That would certainly amount to an information disclosure, but I'm reading the 5.5 trunk source (http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java?revision=466608&pathrev=781379 : version just previous to the fix) and it looks like you'd get an NPE whether the user was found in the database or not. I suppose the argument could be made that sloppy credential handling (that is, sloppy enough to allow an NPE) could possibly lead to such information disclosure. Time to go check-out securityfilter's source to see if we do this. Oh, wait, we use Tomcat's realms :) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoog3gACgkQ9CaO5/Lv0PC+eQCgnQAZd4epH+5myPBWea4AR8FC RDoAoKOuCrFk+Pgc653p15qTkqC1kqVx =tICL -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
