tomcat/CVE-2021-30640-4.patch

From 954eb10e9957055f60ee1e427baabfa32fc3d78b Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Tue, 13 Apr 2021 12:11:35 +0100
Subject: [PATCH] Expand tests and fix an issue in escaping for group search

---
 java/org/apache/catalina/realm/JNDIRealm.java | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java
index dcec473..1021ce8 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1918,6 +1918,8 @@ System.out.println("userRoleName " + userRoleName + " " + attrs.get(userRoleName
         // This is returned from the directory so will be attribute value
         // escaped if required
         String dn = user.getDN();
+	// This is the name the user provided to the authentication process so
+	// it will not be escaped
         String username = user.getUserName();
         String userRoleId = user.getUserRoleId();
 
@@ -1946,7 +1948,10 @@ System.out.println("userRoleName " + userRoleName + " " + attrs.get(userRoleName
             return list;
 
         // Set up parameters for an appropriate search
-        String filter = connection.roleFormat.format(new String[] { doFilterEscaping(dn), username, userRoleId });
+        String filter = connection.roleFormat.format(new String[] {
+                doFilterEscaping(dn),
+                doFilterEscaping(doAttributeValueEscaping(username)),
+                userRoleId });
         SearchControls controls = new SearchControls();
         if (roleSubtree)
             controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
-- 
2.23.0