Bug 1150024 – HeaderParser fails to handle delimiters in DigestAuthenticator

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1150024 - HeaderParser fails to handle delimiters in DigestAuthenticator

Summary:	HeaderParser fails to handle delimiters in DigestAuthenticator

Status:	VERIFIED

Aliases:	None

Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Domain Management, Security (Show other bugs)
Sub Component:
Version:	6.3.1
Hardware:	Unspecified Unspecified

Priority	unspecified Severity urgent
Target Milestone:	DR11
Target Release:	EAP 6.4.0
Assigned To:	Darran Lofthouse
QA Contact:	Pavel Slavicek
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2014-10-07 05:35 EDT by Josef Cacek
Modified:	2018-06-07 17:32 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previous versions of JBoss EAP 6 carried a bug in the Digest authenticator which caused it to not correctly handle escaped delimiters within values contained in the authentication header. Additionally, the add-user utility was not correctly escaping usernames that contained the 'backslash' character (\). As a result, valid authentication requests were being incorrectly rejected. In this release, the parsing of the headers has been re-worked within the Digest authentication mechanism and the add-user utility now correctly escapes the 'backslash' character in usernames allowing authentication to occur as expected.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
JBoss Issue Tracker	WFLY-3969	Critical	Resolved	HeaderTokenParser doesn't parse correctly values which includes a quote	2015-10-07 02:31 EDT

Groups: None (edit)

Description Josef Cacek 2014-10-07 05:35:36 EDT

The method org.jboss.as.domain.http.server.security.DigestAuthenticator.HeaderParser.next() doesn't move correctly position pointer (pos member variable) when the parsed value contains delimiter character (comma).

Reproducer (doesn't use add-user utility because of bug 1150020):

1) add the new user to mgmt-users.properties
echo 'uid\=jduke,ou\=Users,dc\=jboss,dc\=org=theduke' >> standalone/configuration/mgmt-users.properties

2) allow plain passwords & reload server
./jboss-cli.sh -c <<EOT
/core-service=management/security-realm=ManagementRealm/authentication=properties:write-attribute(name=plain-text,value=true)
reload
EOT

3) try to authenticate to HTTP management interface e.g.
http://127.0.0.1:9990/management?operation=attribute&name=server-state
and use following credentials:
Username: uid=jduke,ou=Users,dc=jboss,dc=org
Password: theduke

Browser reports connection reset.

Comment 1 Darran Lofthouse 2014-10-07 06:38:58 EDT

I am setting to assigned so that I can investigate further - however I do not agree that in any way this can be considered a blocker.

If there was a critical need for usernames in this form we would have heard about it already.

Comment 2 Josef Cacek 2014-10-07 06:57:33 EDT

This could help:

diff --git a/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthenticator.java b/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthent
index 30551fb..6c8b30b 100644
--- a/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthenticator.java
+++ b/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthenticator.java
@@ -387,7 +387,7 @@ public class DigestAuthenticator extends Authenticator {
                 response.value = message.substring(pos + 1, endQuote);
 
                 // Move pos after DELIMITER.
-                int nextDelimeter = message.indexOf(DELIMITER, pos);
+                int nextDelimeter = message.indexOf(DELIMITER, endQuote);
                 if (nextDelimeter > 0) {
                     pos = nextDelimeter + 1;
                 }

Comment 9 Josef Cacek 2014-10-13 03:56:06 EDT

The fix is not sufficient. There is another problem with backslash (\) as a last character in the value. Parser then takes it as a escape character for ending quote. It's wrong, because the backslash itself is escaped in the value - "\\".

Use steps from comment 0 to reproduce, just add a new user to mgmt-users.properties:

ab\\=anil

And authenticate with "ab\", "anil" credentials.

Comment 11 JBoss JIRA Server 2014-11-03 21:40:34 EST

Stuart Douglas <stuart.w.douglas@gmail.com> updated the status of jira WFLY-3969 to Resolved

Comment 13 Jason T. Greene 2014-11-19 12:23:43 EST

It's not a blocker.

Note You need to log in before you can comment on or make changes to this bug.