758518 – Fix Basic auth handling for passwords

Bug 758518 - Fix Basic auth handling for passwords

Summary: Fix Basic auth handling for passwords

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Dogtag Certificate System
Classification:	Retired
Component:	Console
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Dmitri Pal
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	530474
TreeView+	depends on / blocked

Reported:	2011-11-29 23:46 UTC by Andrew Wnuk
Modified:	2020-03-27 19:07 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-27 19:07:21 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Andrew Wnuk 2011-11-29 23:46:05 UTC

From:

Subject: 	[Pki-devel] [PATCH] Fix Basic auth handling for passwords containing a colon
Date: 	Wed, 2 Nov 2011 12:49:58 -0400
From: 	Joshua Roys <Joshua.Roys.edu>
To: 	<pki-devel>


Hello,

Attached is a patch to fix the parsing of HTTP Basic auth.

Thanks,

Joshua Roys


0001-Fix-Basic-auth-handling-for-passwords-containing-a-c.patch

From 3daebdc2f066b340cf77bd613856ebceabc5dcab Mon Sep 17 00:00:00 2001
From: Joshua Roys <Joshua.Roys.edu>
Date: Wed, 2 Nov 2011 11:53:01 -0400
Subject: [PATCH] Fix Basic auth handling for passwords containing a colon

According to rfc2617 section 2, the userid is any TEXT excluding ":" and
the value sent in the "Authorization: Basic" header is the
base64-encoded concatenation of userid, ":", password.  Looking for the
first colon allows the password to contain colon characters.  However,
AdminServlet searched for the last colon.

pki-console talks to UsrGrpAdminServlet which extends AdminServlet.
This means that you could lock yourself out of the console if you
changed your password to one containing a colon.  Also, the prefix of
your password up to the last colon would show up in the CA logs.

Signed-off-by: Joshua Roys <Joshua.Roys.edu>
---
 .../netscape/cms/servlet/admin/AdminServlet.java   |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java
index f7f9ce1..4ba3739 100644
--- a/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java
+++ b/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java
@@ -351,9 +351,9 @@ public class AdminServlet extends HttpServlet {
                             authToken.lastIndexOf(' ') + 1);
                     String authCode = new String(com.netscape.osutil.OSUtil.AtoB(b64s));
                     String userid = authCode.substring(0,
-                            authCode.lastIndexOf(':'));
+                            authCode.indexOf(':'));
                     String password = authCode.substring(
-                            authCode.lastIndexOf(':') + 1);
+                            authCode.indexOf(':') + 1);
                     AuthCredentials cred = new AuthCredentials();
 
                     // save the "userid" of this certificate in case it
-- 1.7.1



_______________________________________________
Pki-devel mailing list
Pki-devel
https://www.redhat.com/mailman/listinfo/pki-devel

Note You need to log in before you can comment on or make changes to this bug.