160 lines
5.7 KiB
Diff
160 lines
5.7 KiB
Diff
Origin: https://svn.apache.org/viewvc?view=revision&revision=1905586
|
|
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056755
|
|
Forwarded: not-needed
|
|
|
|
--
|
|
--- a/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
|
|
+++ b/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
|
|
@@ -191,6 +191,54 @@
|
|
|
|
|
|
/**
|
|
+ * Given an LDAP search string, returns the string with certain characters
|
|
+ * escaped according to RFC 2254 guidelines. Cribbed from org.apache.catalina.realm.JNDIRealm.
|
|
+ *
|
|
+ * The character mapping is as follows:
|
|
+ * char -> Replacement
|
|
+ * ---------------------------
|
|
+ * * -> \2a
|
|
+ * ( -> \28
|
|
+ * ) -> \29
|
|
+ * \ -> \5c
|
|
+ * \0 -> \00
|
|
+ *
|
|
+ * @param inString string to escape according to RFC 2254 guidelines
|
|
+ *
|
|
+ * @return String the escaped/encoded result
|
|
+ */
|
|
+ protected String doFilterEscaping(String inString) {
|
|
+ if (inString == null) {
|
|
+ return null;
|
|
+ }
|
|
+ StringBuilder buf = new StringBuilder(inString.length());
|
|
+ for (int i = 0; i < inString.length(); i++) {
|
|
+ char c = inString.charAt(i);
|
|
+ switch (c) {
|
|
+ case '\\':
|
|
+ buf.append("\\5c");
|
|
+ break;
|
|
+ case '*':
|
|
+ buf.append("\\2a");
|
|
+ break;
|
|
+ case '(':
|
|
+ buf.append("\\28");
|
|
+ break;
|
|
+ case ')':
|
|
+ buf.append("\\29");
|
|
+ break;
|
|
+ case '\0':
|
|
+ buf.append("\\00");
|
|
+ break;
|
|
+ default:
|
|
+ buf.append(c);
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ return buf.toString();
|
|
+ }
|
|
+
|
|
+ /**
|
|
* Call new InitialDirContext in a privilege block
|
|
* @param env environment used to create the initial DirContext. Null indicates an empty environment.
|
|
* @return an initial DirContext using the supplied environment.
|
|
@@ -411,7 +459,10 @@
|
|
private String getDNFromUID(String uid)
|
|
throws javax.naming.NamingException
|
|
{
|
|
- //
|
|
+ // Escape the uid as a defense against LDAP injection. See DERBY-7147.
|
|
+ uid = doFilterEscaping(uid);
|
|
+
|
|
+ //
|
|
// We bind to the LDAP server here
|
|
// Note that this bind might be anonymous (if anonymous searches
|
|
// are allowed in the LDAP server, or authenticated if we were
|
|
--- /dev/null
|
|
+++ b/tools/release/notices/tomcat.txt
|
|
@@ -0,0 +1,72 @@
|
|
+Derby uses the org.apache.catalina.realm.JNDIRealm.doFilterEscaping()
|
|
+routine from the Apache Tomcat project. The following notice covers
|
|
+the Tomcat sources:
|
|
+
|
|
+Apache Tomcat
|
|
+Copyright 1999-2022 The Apache Software Foundation
|
|
+
|
|
+This product includes software developed at
|
|
+The Apache Software Foundation (https://www.apache.org/).
|
|
+
|
|
+This software contains code derived from netty-native
|
|
+developed by the Netty project
|
|
+(https://netty.io, https://github.com/netty/netty-tcnative/)
|
|
+and from finagle-native developed at Twitter
|
|
+(https://github.com/twitter/finagle).
|
|
+
|
|
+This software contains code derived from jgroups-kubernetes
|
|
+developed by the JGroups project (http://www.jgroups.org/).
|
|
+
|
|
+The Windows Installer is built with the Nullsoft
|
|
+Scriptable Install System (NSIS), which is
|
|
+open source software. The original software and
|
|
+related information is available at
|
|
+http://nsis.sourceforge.net.
|
|
+
|
|
+Java compilation software for JSP pages is provided by the Eclipse
|
|
+JDT Core Batch Compiler component, which is open source software.
|
|
+The original software and related information is available at
|
|
+https://www.eclipse.org/jdt/core/.
|
|
+
|
|
+org.apache.tomcat.util.json.JSONParser.jj is a public domain javacc grammar
|
|
+for JSON written by Robert Fischer.
|
|
+https://github.com/RobertFischer/json-parser
|
|
+
|
|
+For portions of the Tomcat JNI OpenSSL API and the OpenSSL JSSE integration
|
|
+The org.apache.tomcat.jni and the org.apache.tomcat.net.openssl packages
|
|
+are derivative work originating from the Netty project and the finagle-native
|
|
+project developed at Twitter
|
|
+* Copyright 2014 The Netty Project
|
|
+* Copyright 2014 Twitter
|
|
+
|
|
+For portions of the Tomcat cloud support
|
|
+The org.apache.catalina.tribes.membership.cloud package contains derivative
|
|
+work originating from the jgroups project.
|
|
+https://github.com/jgroups-extras/jgroups-kubernetes
|
|
+Copyright 2002-2018 Red Hat Inc.
|
|
+
|
|
+The original XML Schemas for Java EE Deployment Descriptors:
|
|
+ - javaee_5.xsd
|
|
+ - javaee_web_services_1_2.xsd
|
|
+ - javaee_web_services_client_1_2.xsd
|
|
+ - javaee_6.xsd
|
|
+ - javaee_web_services_1_3.xsd
|
|
+ - javaee_web_services_client_1_3.xsd
|
|
+ - jsp_2_2.xsd
|
|
+ - web-app_3_0.xsd
|
|
+ - web-common_3_0.xsd
|
|
+ - web-fragment_3_0.xsd
|
|
+ - javaee_7.xsd
|
|
+ - javaee_web_services_1_4.xsd
|
|
+ - javaee_web_services_client_1_4.xsd
|
|
+ - jsp_2_3.xsd
|
|
+ - web-app_3_1.xsd
|
|
+ - web-common_3_1.xsd
|
|
+ - web-fragment_3_1.xsd
|
|
+ - javaee_8.xsd
|
|
+ - web-app_4_0.xsd
|
|
+ - web-common_4_0.xsd
|
|
+ - web-fragment_4_0.xsd
|
|
+
|
|
+may be obtained from:
|
|
+http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/index.html
|
|
--- a/build.xml
|
|
+++ b/build.xml
|
|
@@ -2022,6 +2022,7 @@
|
|
<antcall target="appendnotice"><param name="sourcefile" value="felix.txt"/></antcall>
|
|
<antcall target="appendnotice"><param name="sourcefile" value="lucene.txt"/></antcall>
|
|
<antcall target="appendnotice"><param name="sourcefile" value="simpleJson.txt"/></antcall>
|
|
+ <antcall target="appendnotice"><param name="sourcefile" value="tomcat.txt"/></antcall>
|
|
|
|
<antcall target="checkinfile">
|
|
<param name="checkinComment" value="Check in NOTICE as part of building a release."/>
|