| Summary: | Fix Basic auth handling for passwords | ||
|---|---|---|---|
| Product: | [Retired] Dogtag Certificate System | Reporter: | Andrew Wnuk <awnuk> |
| Component: | Console | Assignee: | Dmitri Pal <dpal> |
| Status: | CLOSED EOL | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.0 | CC: | alee, dennis, dpal, gsterlin, nkinder, roysjosh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-27 19:07:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 530474 | ||
From: Subject: [Pki-devel] [PATCH] Fix Basic auth handling for passwords containing a colon Date: Wed, 2 Nov 2011 12:49:58 -0400 From: Joshua Roys <Joshua.Roys.edu> To: <pki-devel> Hello, Attached is a patch to fix the parsing of HTTP Basic auth. Thanks, Joshua Roys 0001-Fix-Basic-auth-handling-for-passwords-containing-a-c.patch From 3daebdc2f066b340cf77bd613856ebceabc5dcab Mon Sep 17 00:00:00 2001 From: Joshua Roys <Joshua.Roys.edu> Date: Wed, 2 Nov 2011 11:53:01 -0400 Subject: [PATCH] Fix Basic auth handling for passwords containing a colon According to rfc2617 section 2, the userid is any TEXT excluding ":" and the value sent in the "Authorization: Basic" header is the base64-encoded concatenation of userid, ":", password. Looking for the first colon allows the password to contain colon characters. However, AdminServlet searched for the last colon. pki-console talks to UsrGrpAdminServlet which extends AdminServlet. This means that you could lock yourself out of the console if you changed your password to one containing a colon. Also, the prefix of your password up to the last colon would show up in the CA logs. Signed-off-by: Joshua Roys <Joshua.Roys.edu> --- .../netscape/cms/servlet/admin/AdminServlet.java | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java index f7f9ce1..4ba3739 100644 --- a/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java +++ b/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java @@ -351,9 +351,9 @@ public class AdminServlet extends HttpServlet { authToken.lastIndexOf(' ') + 1); String authCode = new String(com.netscape.osutil.OSUtil.AtoB(b64s)); String userid = authCode.substring(0, - authCode.lastIndexOf(':')); + authCode.indexOf(':')); String password = authCode.substring( - authCode.lastIndexOf(':') + 1); + authCode.indexOf(':') + 1); AuthCredentials cred = new AuthCredentials(); // save the "userid" of this certificate in case it -- 1.7.1 _______________________________________________ Pki-devel mailing list Pki-devel https://www.redhat.com/mailman/listinfo/pki-devel