tomcat/CVE-2019-17563.patch

From fabfa49abf917e126dbcf299fed40a1ab96d6f7a Mon Sep 17 00:00:00 2001
From: wang_yue111 <wangyue92@huawei.com>
Date: Fri, 15 May 2020 17:17:57 +0800
Subject: [PATCH] 2

---
 .../authenticator/AuthenticatorBase.java      |  7 ++--
 .../catalina/authenticator/Constants.java     |  3 ++
 .../authenticator/FormAuthenticator.java      | 36 +++++--------------
 3 files changed, 16 insertions(+), 30 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index 880ebde..47d562b 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -1021,10 +1021,11 @@ public abstract class AuthenticatorBase extends ValveBase
         }
 
         // Cache the authentication information in our session, if any
-        if (cache) {
-            if (session != null) {
+        if (session != null) {
+            if (cache) {
                 session.setAuthType(authType);
                 session.setPrincipal(principal);
+            } else {
                 if (username != null) {
                     session.setNote(Constants.SESS_USERNAME_NOTE, username);
                 } else {
diff --git a/java/org/apache/catalina/authenticator/Constants.java b/java/org/apache/catalina/authenticator/Constants.java
index 452a4f0..c9580d6 100644
--- a/java/org/apache/catalina/authenticator/Constants.java
+++ b/java/org/apache/catalina/authenticator/Constants.java
@@ -93,7 +93,10 @@ public class Constants {
 
     /**
      * The previously authenticated principal (if caching is disabled).
+     *
+     * @deprecated Unused. Will be removed in Tomcat 10.
      */
+    @Deprecated
     public static final String FORM_PRINCIPAL_NOTE =
         "org.apache.catalina.authenticator.PRINCIPAL";
 
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 1b54ddd..44c783e 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -133,10 +133,6 @@ public class FormAuthenticator
     protected boolean doAuthenticate(Request request, HttpServletResponse response)
             throws IOException {
 
-        if (checkForCachedAuthentication(request, response, true)) {
-            return true;
-        }
-
         // References to objects we will need later
         Session session = null;
         Principal principal = null;
@@ -158,11 +154,8 @@ public class FormAuthenticator
                 principal =
                     context.getRealm().authenticate(username, password);
                 if (principal != null) {
-                    session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
+		    register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password);
                     if (!matchRequest(request)) {
-                        register(request, response, principal,
-                                HttpServletRequest.FORM_AUTH,
-                                username, password);
                         return true;
                     }
                 }
@@ -181,17 +174,6 @@ public class FormAuthenticator
                           + session.getIdInternal()
                           + "'");
             }
-            principal = (Principal)
-                session.getNote(Constants.FORM_PRINCIPAL_NOTE);
-            register(request, response, principal, HttpServletRequest.FORM_AUTH,
-                     (String) session.getNote(Constants.SESS_USERNAME_NOTE),
-                     (String) session.getNote(Constants.SESS_PASSWORD_NOTE));
-            // If we're caching principals we no longer need the username
-            // and password in the session, so remove them
-            if (cache) {
-                session.removeNote(Constants.SESS_USERNAME_NOTE);
-                session.removeNote(Constants.SESS_PASSWORD_NOTE);
-            }
             if (restoreRequest(request, session)) {
                 if (log.isDebugEnabled()) {
                     log.debug("Proceed to restored request");
@@ -206,6 +188,12 @@ public class FormAuthenticator
             }
         }
 
+        // This check has to be after the previous check for a matching request
+        // because that matching request may also include a cached Principal.
+        if (checkForCachedAuthentication(request, response, true)) {
+            return true;
+        }
+
         // Acquire references to objects we will need to evaluate
         String contextPath = request.getContextPath();
         String requestURI = request.getDecodedRequestURI();
@@ -297,12 +285,7 @@ public class FormAuthenticator
             return false;
         }
 
-        // Save the authenticated Principal in our session
-        session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
-
-        // Save the username and password as well
-        session.setNote(Constants.SESS_USERNAME_NOTE, username);
-        session.setNote(Constants.SESS_PASSWORD_NOTE, password);
+        register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password);
 
         // Redirect the user to the original request URI (which will cause
         // the original request to be restored)
@@ -510,7 +493,7 @@ public class FormAuthenticator
         }
 
         // Is there a saved principal?
-        if (session.getNote(Constants.FORM_PRINCIPAL_NOTE) == null) {
+        if (cache && session.getPrincipal() == null || !cache && request.getPrincipal() == null) {
             return false;
         }
 
@@ -541,7 +524,6 @@ public class FormAuthenticator
         SavedRequest saved = (SavedRequest)
             session.getNote(Constants.FORM_REQUEST_NOTE);
         session.removeNote(Constants.FORM_REQUEST_NOTE);
-        session.removeNote(Constants.FORM_PRINCIPAL_NOTE);
         if (saved == null) {
             return false;
         }
-- 
2.23.0
fix cves 2020-05-19 15:36:49 +08:00			`From fabfa49abf917e126dbcf299fed40a1ab96d6f7a Mon Sep 17 00:00:00 2001`
			`From: wang_yue111 <wangyue92@huawei.com>`
			`Date: Fri, 15 May 2020 17:17:57 +0800`
			`Subject: [PATCH] 2`

			`---`
			`.../authenticator/AuthenticatorBase.java \| 7 ++--`
			`.../catalina/authenticator/Constants.java \| 3 ++`
			`.../authenticator/FormAuthenticator.java \| 36 +++++--------------`
			`3 files changed, 16 insertions(+), 30 deletions(-)`

			`diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java`
			`index 880ebde..47d562b 100644`
			`--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java`
			`+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java`
			`@@ -1021,10 +1021,11 @@ public abstract class AuthenticatorBase extends ValveBase`
			`}`

			`// Cache the authentication information in our session, if any`
			`- if (cache) {`
			`- if (session != null) {`
			`+ if (session != null) {`
			`+ if (cache) {`
			`session.setAuthType(authType);`
			`session.setPrincipal(principal);`
			`+ } else {`
			`if (username != null) {`
			`session.setNote(Constants.SESS_USERNAME_NOTE, username);`
			`} else {`
			`diff --git a/java/org/apache/catalina/authenticator/Constants.java b/java/org/apache/catalina/authenticator/Constants.java`
			`index 452a4f0..c9580d6 100644`
			`--- a/java/org/apache/catalina/authenticator/Constants.java`
			`+++ b/java/org/apache/catalina/authenticator/Constants.java`
			`@@ -93,7 +93,10 @@ public class Constants {`

			`/**`
			`* The previously authenticated principal (if caching is disabled).`
			`+ *`
			`+ * @deprecated Unused. Will be removed in Tomcat 10.`
			`*/`
			`+ @Deprecated`
			`public static final String FORM_PRINCIPAL_NOTE =`
			`"org.apache.catalina.authenticator.PRINCIPAL";`

			`diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java`
			`index 1b54ddd..44c783e 100644`
			`--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java`
			`+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java`
			`@@ -133,10 +133,6 @@ public class FormAuthenticator`
			`protected boolean doAuthenticate(Request request, HttpServletResponse response)`
			`throws IOException {`

			`- if (checkForCachedAuthentication(request, response, true)) {`
			`- return true;`
			`- }`
			`-`
			`// References to objects we will need later`
			`Session session = null;`
			`Principal principal = null;`
			`@@ -158,11 +154,8 @@ public class FormAuthenticator`
			`principal =`
			`context.getRealm().authenticate(username, password);`
			`if (principal != null) {`
			`- session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);`
			`+ register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password);`
			`if (!matchRequest(request)) {`
			`- register(request, response, principal,`
			`- HttpServletRequest.FORM_AUTH,`
			`- username, password);`
			`return true;`
			`}`
			`}`
			`@@ -181,17 +174,6 @@ public class FormAuthenticator`
			`+ session.getIdInternal()`
			`+ "'");`
			`}`
			`- principal = (Principal)`
			`- session.getNote(Constants.FORM_PRINCIPAL_NOTE);`
			`- register(request, response, principal, HttpServletRequest.FORM_AUTH,`
			`- (String) session.getNote(Constants.SESS_USERNAME_NOTE),`
			`- (String) session.getNote(Constants.SESS_PASSWORD_NOTE));`
			`- // If we're caching principals we no longer need the username`
			`- // and password in the session, so remove them`
			`- if (cache) {`
			`- session.removeNote(Constants.SESS_USERNAME_NOTE);`
			`- session.removeNote(Constants.SESS_PASSWORD_NOTE);`
			`- }`
			`if (restoreRequest(request, session)) {`
			`if (log.isDebugEnabled()) {`
			`log.debug("Proceed to restored request");`
			`@@ -206,6 +188,12 @@ public class FormAuthenticator`
			`}`
			`}`

			`+ // This check has to be after the previous check for a matching request`
			`+ // because that matching request may also include a cached Principal.`
			`+ if (checkForCachedAuthentication(request, response, true)) {`
			`+ return true;`
			`+ }`
			`+`
			`// Acquire references to objects we will need to evaluate`
			`String contextPath = request.getContextPath();`
			`String requestURI = request.getDecodedRequestURI();`
			`@@ -297,12 +285,7 @@ public class FormAuthenticator`
			`return false;`
			`}`

			`- // Save the authenticated Principal in our session`
			`- session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);`
			`-`
			`- // Save the username and password as well`
			`- session.setNote(Constants.SESS_USERNAME_NOTE, username);`
			`- session.setNote(Constants.SESS_PASSWORD_NOTE, password);`
			`+ register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password);`

			`// Redirect the user to the original request URI (which will cause`
			`// the original request to be restored)`
			`@@ -510,7 +493,7 @@ public class FormAuthenticator`
			`}`

			`// Is there a saved principal?`
			`- if (session.getNote(Constants.FORM_PRINCIPAL_NOTE) == null) {`
			`+ if (cache && session.getPrincipal() == null \|\| !cache && request.getPrincipal() == null) {`
			`return false;`
			`}`

			`@@ -541,7 +524,6 @@ public class FormAuthenticator`
			`SavedRequest saved = (SavedRequest)`
			`session.getNote(Constants.FORM_REQUEST_NOTE);`
			`session.removeNote(Constants.FORM_REQUEST_NOTE);`
			`- session.removeNote(Constants.FORM_PRINCIPAL_NOTE);`
			`if (saved == null) {`
			`return false;`
			`}`
			`--`
			`2.23.0`