From 3daebdc2f066b340cf77bd613856ebceabc5dcab Mon Sep 17 00:00:00 2001 From: Joshua Roys Date: Wed, 2 Nov 2011 11:53:01 -0400 Subject: [PATCH] Fix Basic auth handling for passwords containing a colon According to rfc2617 section 2, the userid is any TEXT excluding ":" and the value sent in the "Authorization: Basic" header is the base64-encoded concatenation of userid, ":", password. Looking for the first colon allows the password to contain colon characters. However, AdminServlet searched for the last colon. pki-console talks to UsrGrpAdminServlet which extends AdminServlet. This means that you could lock yourself out of the console if you changed your password to one containing a colon. Also, the prefix of your password up to the last colon would show up in the CA logs. Signed-off-by: Joshua Roys --- .../netscape/cms/servlet/admin/AdminServlet.java | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java index f7f9ce1..4ba3739 100644 --- a/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java +++ b/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java @@ -351,9 +351,9 @@ public class AdminServlet extends HttpServlet { authToken.lastIndexOf(' ') + 1); String authCode = new String(com.netscape.osutil.OSUtil.AtoB(b64s)); String userid = authCode.substring(0, - authCode.lastIndexOf(':')); + authCode.indexOf(':')); String password = authCode.substring( - authCode.lastIndexOf(':') + 1); + authCode.indexOf(':') + 1); AuthCredentials cred = new AuthCredentials(); // save the "userid" of this certificate in case it -- 1.7.1