1150024 – HeaderParser fails to handle delimiters in DigestAuthenticator

Bug 1150024 - HeaderParser fails to handle delimiters in DigestAuthenticator

Summary: HeaderParser fails to handle delimiters in DigestAuthenticator

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Domain Management, Security
Sub Component:
Version:	6.3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	DR11
Target Release:	EAP 6.4.0
Assignee:	Darran Lofthouse
QA Contact:	Pavel Slavicek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-10-07 09:35 UTC by Josef Cacek
Modified:	2019-08-19 12:43 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previous versions of JBoss EAP 6 carried a bug in the Digest authenticator which caused it to not correctly handle escaped delimiters within values contained in the authentication header. Additionally, the add-user utility was not correctly escaping usernames that contained the 'backslash' character (\). As a result, valid authentication requests were being incorrectly rejected. In this release, the parsing of the headers has been re-worked within the Digest authentication mechanism and the add-user utility now correctly escapes the 'backslash' character in usernames allowing authentication to occur as expected.
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	WFLY-3969	0	Critical	Resolved	HeaderTokenParser doesn't parse correctly values which includes a quote	2015-10-07 06:31:29 UTC

Description Josef Cacek 2014-10-07 09:35:36 UTC

The method org.jboss.as.domain.http.server.security.DigestAuthenticator.HeaderParser.next() doesn't move correctly position pointer (pos member variable) when the parsed value contains delimiter character (comma).

Reproducer (doesn't use add-user utility because of bug 1150020):

1) add the new user to mgmt-users.properties
echo 'uid\=jduke,ou\=Users,dc\=jboss,dc\=org=theduke' >> standalone/configuration/mgmt-users.properties

2) allow plain passwords & reload server
./jboss-cli.sh -c <<EOT
/core-service=management/security-realm=ManagementRealm/authentication=properties:write-attribute(name=plain-text,value=true)
reload
EOT

3) try to authenticate to HTTP management interface e.g.
http://127.0.0.1:9990/management?operation=attribute&name=server-state
and use following credentials:
Username: uid=jduke,ou=Users,dc=jboss,dc=org
Password: theduke

Browser reports connection reset.

Comment 1 Darran Lofthouse 2014-10-07 10:38:58 UTC

I am setting to assigned so that I can investigate further - however I do not agree that in any way this can be considered a blocker.

If there was a critical need for usernames in this form we would have heard about it already.

Comment 2 Josef Cacek 2014-10-07 10:57:33 UTC

This could help:

diff --git a/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthenticator.java b/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthent
index 30551fb..6c8b30b 100644
--- a/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthenticator.java
+++ b/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthenticator.java
@@ -387,7 +387,7 @@ public class DigestAuthenticator extends Authenticator {
                 response.value = message.substring(pos + 1, endQuote);
 
                 // Move pos after DELIMITER.
-                int nextDelimeter = message.indexOf(DELIMITER, pos);
+                int nextDelimeter = message.indexOf(DELIMITER, endQuote);
                 if (nextDelimeter > 0) {
                     pos = nextDelimeter + 1;
                 }

Comment 9 Josef Cacek 2014-10-13 07:56:06 UTC

The fix is not sufficient. There is another problem with backslash (\) as a last character in the value. Parser then takes it as a escape character for ending quote. It's wrong, because the backslash itself is escaped in the value - "\\".

Use steps from comment 0 to reproduce, just add a new user to mgmt-users.properties:

ab\\=anil

And authenticate with "ab\", "anil" credentials.

Comment 11 JBoss JIRA Server 2014-11-04 02:40:34 UTC

Stuart Douglas <stuart.w.douglas> updated the status of jira WFLY-3969 to Resolved

Comment 13 Jason T. Greene 2014-11-19 17:23:43 UTC

It's not a blocker.

Note You need to log in before you can comment on or make changes to this bug.