CVE-2021-30640: Fix NullPointerException
If no userRoleAttribute is specified in the user's Realm configuration its
default value will be null. This will cause a NPE in the methods
doFilterEscaping and doAttributeValueEscaping. This is upstream bug
https://bz.apache.org/bugzilla/show_bug.cgi?id=65308
Markus Koschany
2 years ago
| 11 | 11 | Origin: https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0 |
| 12 | 12 | Origin: https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945 |
| 13 | 13 | --- |
| 14 | java/org/apache/catalina/realm/JNDIRealm.java | 137 +++++++++++++++++++-- | |
| 14 | java/org/apache/catalina/realm/JNDIRealm.java | 143 +++++++++++++++++++-- | |
| 15 | 15 | .../realm/TestJNDIRealmAttributeValueEscape.java | 86 +++++++++++++ |
| 16 | 2 files changed, 213 insertions(+), 10 deletions(-) | |
| 16 | 2 files changed, 219 insertions(+), 10 deletions(-) | |
| 17 | 17 | create mode 100644 test/org/apache/catalina/realm/TestJNDIRealmAttributeValueEscape.java |
| 18 | 18 | |
| 19 | 19 | diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java |
| 20 | index 7e2d578..358d008 100644 | |
| 20 | index 7e2d578..2a03307 100644 | |
| 21 | 21 | --- a/java/org/apache/catalina/realm/JNDIRealm.java |
| 22 | 22 | +++ b/java/org/apache/catalina/realm/JNDIRealm.java |
| 23 | 23 | @@ -1633,8 +1633,11 @@ public class JNDIRealm extends RealmBase { |
| 113 | 113 | isRoleSearchAsUser()); |
| 114 | 114 | |
| 115 | 115 | try { |
| 116 | @@ -2823,10 +2842,36 @@ public class JNDIRealm extends RealmBase { | |
| 116 | @@ -2823,10 +2842,39 @@ public class JNDIRealm extends RealmBase { | |
| 117 | 117 | * ) -> \29 |
| 118 | 118 | * \ -> \5c |
| 119 | 119 | * \0 -> \00 |
| 147 | 147 | + * @return String the escaped/encoded result |
| 148 | 148 | + */ |
| 149 | 149 | + protected String doFilterEscaping(String inString) { |
| 150 | + if (inString == null) { | |
| 151 | + return null; | |
| 152 | + } | |
| 150 | 153 | StringBuilder buf = new StringBuilder(inString.length()); |
| 151 | 154 | for (int i = 0; i < inString.length(); i++) { |
| 152 | 155 | char c = inString.charAt(i); |
| 153 | @@ -2916,6 +2961,78 @@ public class JNDIRealm extends RealmBase { | |
| 156 | @@ -2916,6 +2964,81 @@ public class JNDIRealm extends RealmBase { | |
| 154 | 157 | } |
| 155 | 158 | |
| 156 | 159 | |
| 162 | 165 | + * @return The string representation of the attribute value |
| 163 | 166 | + */ |
| 164 | 167 | + protected String doAttributeValueEscaping(String input) { |
| 168 | + if (input == null) { | |
| 169 | + return null; | |
| 170 | + } | |
| 165 | 171 | + int len = input.length(); |
| 166 | 172 | + StringBuilder result = new StringBuilder(); |
| 167 | 173 | + |