Accepting request 940058 from Java:packages

OBS-URL: https://build.opensuse.org/request/show/940058
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat?expand=0&rev=79

tomcat-9.0-NPE-JNDIRealm.patch

@@ -0,0 +1,123 @@
+Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/realm/JNDIRealm.java
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/realm/JNDIRealm.java
++++ apache-tomcat-9.0.43-src/java/org/apache/catalina/realm/JNDIRealm.java
+@@ -2805,6 +2805,9 @@ public class JNDIRealm extends RealmBase
+      * @return String the escaped/encoded result
+      */
+     protected String doFilterEscaping(String inString) {
++        if (inString == null) {
++            return null;
++        }
+         StringBuilder buf = new StringBuilder(inString.length());
+         for (int i = 0; i < inString.length(); i++) {
+             char c = inString.charAt(i);
+@@ -2897,6 +2900,9 @@ public class JNDIRealm extends RealmBase
+      * @return      The string representation of the attribute value
+      */
+     protected String doAttributeValueEscaping(String input) {
++        if (input == null) {
++            return null;
++        }
+         int len = input.length();
+         StringBuilder result = new StringBuilder();
+ 
+Index: apache-tomcat-9.0.43-src/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
++++ apache-tomcat-9.0.43-src/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
+@@ -56,26 +56,33 @@ public class TestJNDIRealmIntegration {
+     @Parameterized.Parameters(name = "{index}: user[{5}], pwd[{6}]")
+     public static Collection<Object[]> parameters() {
+         List<Object[]> parameterSets = new ArrayList<>();
+-        for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, ROLE_SEARCH_C }) {
+-            addUsers(USER_PATTERN, null, null, roleSearch, ROLE_BASE, parameterSets);
+-            addUsers(null, USER_SEARCH, USER_BASE, roleSearch, ROLE_BASE, parameterSets);
++        for (String userRoleAttribute : new String[] { "cn", null }) {
++            for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, ROLE_SEARCH_C }) {
++                if (userRoleAttribute != null) {
++                    addUsers(USER_PATTERN, null, null, roleSearch, ROLE_BASE, userRoleAttribute, parameterSets);
++                    addUsers(null, USER_SEARCH, USER_BASE, roleSearch, ROLE_BASE, userRoleAttribute, parameterSets);
++                }
++            }
++            parameterSets.add(new Object[] { "cn={0},ou=s\\;ub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A,
++                    "{3},ou=people,dc=example,dc=com", "testsub", "test", new String[] { "TestGroup4" },
++                    userRoleAttribute });
+         }
+-        parameterSets.add(new Object[] { "cn={0},ou=s\\;ub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A,
+-                "{3},ou=people,dc=example,dc=com", "testsub", "test", new String[] {"TestGroup4"} });
+         return parameterSets;
+     }
+ 
+ 
+     private static void addUsers(String userPattern, String userSearch, String userBase, String roleSearch,
+-            String roleBase, List<Object[]> parameterSets) {
++            String roleBase, String userRoleAttribute, List<Object[]> parameterSets) {
+         parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase,
+-                "test", "test", new String[] {"TestGroup"} });
++                "test", "test", new String[] {"TestGroup"}, userRoleAttribute });
+         parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase,
+-                "t;", "test", new String[] {"TestGroup"} });
++                "t;", "test", new String[] {"TestGroup"}, userRoleAttribute });
+         parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase,
+-                "t*", "test", new String[] {"TestGroup"} });
++                "t*", "test", new String[] {"TestGroup"}, userRoleAttribute });
+         parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase,
+-                "t=", "test", new String[] {"Test<Group*2", "Test>Group*3"} });
++                "t=", "test", new String[] {"Test<Group*2", "Test>Group*3"}, userRoleAttribute });
++        parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase,
++                "norole", "test", new String[0], userRoleAttribute });
+     }
+ 
+ 
+@@ -95,6 +102,8 @@ public class TestJNDIRealmIntegration {
+     public String credentials;
+     @Parameter(7)
+     public String[] groups;
++    @Parameter(8)
++    public String realmConfigUserRoleAttribute;
+ 
+     @Test
+     public void testAuthenication() throws Exception {
+@@ -105,7 +114,7 @@ public class TestJNDIRealmIntegration {
+         realm.setUserPattern(realmConfigUserPattern);
+         realm.setUserSearch(realmConfigUserSearch);
+         realm.setUserBase(realmConfigUserBase);
+-        realm.setUserRoleAttribute("cn");
++        realm.setUserRoleAttribute(realmConfigUserRoleAttribute);
+         realm.setRoleName("cn");
+         realm.setRoleBase(realmConfigRoleBase);
+         realm.setRoleSearch(realmConfigRoleSearch);
+@@ -197,6 +206,17 @@ public class TestJNDIRealmIntegration {
+             result = conn.processOperation(addUserTestEquals);
+             Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode());
+ 
++            AddRequest addUserNoRole = new AddRequest(
++                    "dn: cn=norole,ou=people,dc=example,dc=com",
++                    "objectClass: top",
++                    "objectClass: person",
++                    "objectClass: organizationalPerson",
++                    "cn: norole",
++                    "sn: No Role",
++                    "userPassword: test");
++            result = conn.processOperation(addUserNoRole);
++            Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode());
++
+             AddRequest addGroupTest = new AddRequest(
+                     "dn: cn=TestGroup,ou=people,dc=example,dc=com",
+                     "objectClass: top",
+Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
++++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
+@@ -107,6 +107,10 @@
+   <subsection name="Catalina">
+     <changelog>
+       <fix>
++        <bug>63508</bug>: NPE in JNDIRealm when no <code>userRoleAttribute</code>
++        is given. (fschumacher)
++      </fix>
++      <fix>
+         <bug>65106</bug>: Fix the ConfigFileLoader handling of file URIs when
+         running under a security manager on some JREs. (markt)
+       </fix>

tomcat.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Dec 10 11:20:54 UTC 2021 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Fix NPE in JNDIRealm, when userRoleAttribute is not set (bsc#1193569)
+- Added patch:
+  * tomcat-9.0-NPE-JNDIRealm.patch
+
 -------------------------------------------------------------------
 Wed Nov 10 06:51:24 UTC 2021 - Fridrich Strba <fstrba@suse.com>
 

tomcat.spec

@@ -86,6 +86,7 @@ Patch6:         tomcat-9.0.31-secretRequired-default.patch
 Patch7:         tomcat-9.0-CVE-2021-41079.patch
 Patch8:         tomcat-9.0-CVE-2021-33037.patch
 Patch9:         tomcat-9.0-CVE-2021-30640.patch
+Patch10:        tomcat-9.0-NPE-JNDIRealm.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -263,6 +264,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl