CVE-2011-1088

Complete the fix for this issue. The optimisation not to configure an authenticator of there were no security constraints meant that in that case @ServletSecurity annotations had no effect. The unit tests did not pick this up since they added an authenticator directly. Add an explicit unit test for this scenario. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1079752 13f79535-47bb-0310-9956-ffa450edef68
apache · Mar 9, 2011 · 02780bb · 02780bb
1 parent f103a7f
commit 02780bb
Show file tree

Hide file tree

Showing 4 changed files with 75 additions and 8 deletions.
diff --git a/java/org/apache/catalina/startup/ContextConfig.java b/java/org/apache/catalina/startup/ContextConfig.java
@@ -366,10 +366,7 @@ protected void applicationAnnotationsConfig() {
      */
     protected synchronized void authenticatorConfig() {
 
-        // Does this Context require an Authenticator?
-        SecurityConstraint constraints[] = context.findConstraints();
-        if ((constraints == null) || (constraints.length == 0))
-            return;
+        // Always need an authenticator to support @ServletSecurity annotations
         LoginConfig loginConfig = context.getLoginConfig();
         if (loginConfig == null) {
             loginConfig = DUMMY_LOGIN_CONFIG;

diff --git a/test/org/apache/catalina/core/TestStandardWrapper.java b/test/org/apache/catalina/core/TestStandardWrapper.java
@@ -125,6 +125,24 @@ public void testSecurityAnnotationsAddServlet2() throws Exception {
         doTestSecurityAnnotationsAddServlet(true);
     }
 
+    public void testSecurityAnnotationsNoWebXmlConstraints() throws Exception {
+        // Setup Tomcat instance
+        Tomcat tomcat = getTomcatInstance();
+
+        File appDir = new File("test/webapp-3.0-servletsecurity");
+        tomcat.addWebapp(null, "", appDir.getAbsolutePath());
+
+        tomcat.start();
+
+        ByteChunk bc = new ByteChunk();
+        int rc;
+        rc = getUrl("http://localhost:" + getPort() + "/",
+                bc, null, null);
+
+        assertNull(bc.toString());
+        assertEquals(403, rc);
+    }
+
     private void doTestSecurityAnnotationsAddServlet(boolean useCreateServlet)
             throws Exception {
 

diff --git a/test/webapp-3.0-servletsecurity/WEB-INF/web.xml b/test/webapp-3.0-servletsecurity/WEB-INF/web.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+                      http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+  version="3.0">  
+
+  <!--
+    WARNING:
+    For the unit tests to work correctly, no security constraints may be
+    configured in the web.xml. A login-config section is permitted but not
+    necessary for the tests. Adding a login-config would require changing the
+    return code checked in the unit tests.
+  -->
+
+  <display-name>Tomcat Test Application</display-name>
+  <description>
+     Used as part of the Tomcat unit tests when a full web application is
+     required.
+  </description>
+
+  <servlet>
+    <servlet-name>RoleProtected</servlet-name>
+    <servlet-class>org.apache.catalina.core.TestStandardWrapper$RoleAllowServlet</servlet-class>
+  </servlet>
+
+  <servlet-mapping>
+    <servlet-name>RoleProtected</servlet-name>
+    <url-pattern>/</url-pattern>
+  </servlet-mapping>
+
+</web-app>
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -45,6 +45,10 @@
 <section name="Tomcat 7.0.11 (markt)">
   <subsection name="Catalina">
     <changelog>
+      <fix>
+        CVE-2011-1088: Completed fix. Don&apos;t ignore @ServletSecurity
+        annotations. (markt)
+      </fix>
       <add>
         <bug>25060</bug>: Close Apache Commons DBCP datasources when the
         associated JNDI naming context is stopped (e.g. for a non-global
@@ -87,6 +91,10 @@
 <section name="Tomcat 7.0.10 (markt)"  rtext="released 2011-03-08">
   <subsection name="Catalina">
     <changelog>
+      <fix>
+        CVE-2011-1088: Partial fix. Don&apos;t ignore @ServletSecurity
+        annotations. (markt)
+      </fix>
       <fix>
         <bug>27988</bug>: Improve reporting of missing files. (markt)
       </fix>
@@ -103,10 +111,6 @@
         Improve shut down speed by not renewing threads during shut down when
         the <code>ThreadLocalLeakPreventionListener</code> is enabled. (markt)  
       </fix>
-      <fix>
-        CVE-2011-1088: Partial fix. Don&apos;t ignore @ServletSecurity
-        annotations. (markt)
-      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">