CVE-2021-30640: Fix NullPointerException
If no userRoleAttribute is specified in the user's Realm configuration its
default value will be null. This will cause a NPE in the methods
doFilterEscaping and doAttributeValueEscaping. This is upstream bug
https://bz.apache.org/bugzilla/show_bug.cgi?id=65308
Markus Koschany
2 years ago
11 | 11 | Origin: https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0 |
12 | 12 | Origin: https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945 |
13 | 13 | --- |
14 | java/org/apache/catalina/realm/JNDIRealm.java | 137 +++++++++++++++++++-- | |
14 | java/org/apache/catalina/realm/JNDIRealm.java | 143 +++++++++++++++++++-- | |
15 | 15 | .../realm/TestJNDIRealmAttributeValueEscape.java | 86 +++++++++++++ |
16 | 2 files changed, 213 insertions(+), 10 deletions(-) | |
16 | 2 files changed, 219 insertions(+), 10 deletions(-) | |
17 | 17 | create mode 100644 test/org/apache/catalina/realm/TestJNDIRealmAttributeValueEscape.java |
18 | 18 | |
19 | 19 | diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java |
20 | index 7e2d578..358d008 100644 | |
20 | index 7e2d578..2a03307 100644 | |
21 | 21 | --- a/java/org/apache/catalina/realm/JNDIRealm.java |
22 | 22 | +++ b/java/org/apache/catalina/realm/JNDIRealm.java |
23 | 23 | @@ -1633,8 +1633,11 @@ public class JNDIRealm extends RealmBase { |
113 | 113 | isRoleSearchAsUser()); |
114 | 114 | |
115 | 115 | try { |
116 | @@ -2823,10 +2842,36 @@ public class JNDIRealm extends RealmBase { | |
116 | @@ -2823,10 +2842,39 @@ public class JNDIRealm extends RealmBase { | |
117 | 117 | * ) -> \29 |
118 | 118 | * \ -> \5c |
119 | 119 | * \0 -> \00 |
147 | 147 | + * @return String the escaped/encoded result |
148 | 148 | + */ |
149 | 149 | + protected String doFilterEscaping(String inString) { |
150 | + if (inString == null) { | |
151 | + return null; | |
152 | + } | |
150 | 153 | StringBuilder buf = new StringBuilder(inString.length()); |
151 | 154 | for (int i = 0; i < inString.length(); i++) { |
152 | 155 | char c = inString.charAt(i); |
153 | @@ -2916,6 +2961,78 @@ public class JNDIRealm extends RealmBase { | |
156 | @@ -2916,6 +2964,81 @@ public class JNDIRealm extends RealmBase { | |
154 | 157 | } |
155 | 158 | |
156 | 159 | |
162 | 165 | + * @return The string representation of the attribute value |
163 | 166 | + */ |
164 | 167 | + protected String doAttributeValueEscaping(String input) { |
168 | + if (input == null) { | |
169 | + return null; | |
170 | + } | |
165 | 171 | + int len = input.length(); |
166 | 172 | + StringBuilder result = new StringBuilder(); |
167 | 173 | + |