current/SOURCES/tomcat6-CVE-2012-3546.diff


http://svn.apache.org/viewvc?view=revision&revision=1381035

--- java/org/apache/catalina/realm/RealmBase.java       2011-11-28 11:22:45.000000000 +0100
+++ java/org/apache/catalina/realm/RealmBase.java.oden  2012-12-31 11:18:37.409618760 +0100
@@ -45,7 +45,6 @@ import org.apache.catalina.Realm;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
 import org.apache.catalina.core.ContainerBase;
-import org.apache.catalina.deploy.LoginConfig;
 import org.apache.catalina.deploy.SecurityConstraint;
 import org.apache.catalina.deploy.SecurityCollection;
 import org.apache.catalina.util.HexUtils;
@@ -734,31 +733,6 @@ public abstract class RealmBase
         if (constraints == null || constraints.length == 0)
             return (true);
 
-        // Specifically allow access to the form login and form error pages
-        // and the "j_security_check" action
-        LoginConfig config = context.getLoginConfig();
-        if ((config != null) &&
-            (Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
-            String requestURI = request.getRequestPathMB().toString();
-            String loginPage = config.getLoginPage();
-            if (loginPage.equals(requestURI)) {
-                if (log.isDebugEnabled())
-                    log.debug(" Allow access to login page " + loginPage);
-                return (true);
-            }
-            String errorPage = config.getErrorPage();
-            if (errorPage.equals(requestURI)) {
-                if (log.isDebugEnabled())
-                    log.debug(" Allow access to error page " + errorPage);
-                return (true);
-            }
-            if (requestURI.endsWith(Constants.FORM_ACTION)) {
-                if (log.isDebugEnabled())
-                    log.debug(" Allow access to username/password submission");
-                return (true);
-            }
-        }
-
         // Which user principal have we already authenticated?
         Principal principal = request.getPrincipal();
         boolean status = false;
1
2	http://svn.apache.org/viewvc?view=revision&revision=1381035
3
4	--- java/org/apache/catalina/realm/RealmBase.java 2011-11-28 11:22:45.000000000 +0100
5	+++ java/org/apache/catalina/realm/RealmBase.java.oden 2012-12-31 11:18:37.409618760 +0100
6	@@ -45,7 +45,6 @@ import org.apache.catalina.Realm;
7	import org.apache.catalina.connector.Request;
8	import org.apache.catalina.connector.Response;
9	import org.apache.catalina.core.ContainerBase;
10	-import org.apache.catalina.deploy.LoginConfig;
11	import org.apache.catalina.deploy.SecurityConstraint;
12	import org.apache.catalina.deploy.SecurityCollection;
13	import org.apache.catalina.util.HexUtils;
14	@@ -734,31 +733,6 @@ public abstract class RealmBase
15	if (constraints == null \|\| constraints.length == 0)
16	return (true);
17
18	- // Specifically allow access to the form login and form error pages
19	- // and the "j_security_check" action
20	- LoginConfig config = context.getLoginConfig();
21	- if ((config != null) &&
22	- (Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
23	- String requestURI = request.getRequestPathMB().toString();
24	- String loginPage = config.getLoginPage();
25	- if (loginPage.equals(requestURI)) {
26	- if (log.isDebugEnabled())
27	- log.debug(" Allow access to login page " + loginPage);
28	- return (true);
29	- }
30	- String errorPage = config.getErrorPage();
31	- if (errorPage.equals(requestURI)) {
32	- if (log.isDebugEnabled())
33	- log.debug(" Allow access to error page " + errorPage);
34	- return (true);
35	- }
36	- if (requestURI.endsWith(Constants.FORM_ACTION)) {
37	- if (log.isDebugEnabled())
38	- log.debug(" Allow access to username/password submission");
39	- return (true);
40	- }
41	- }
42	-
43	// Which user principal have we already authenticated?
44	Principal principal = request.getPrincipal();
45	boolean status = false;