You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2010/05/13 21:31:48 UTC
svn commit: r134 -
/release/httpd/patches/apply_to_2.0.63/CVE-2009-3095-patch-2.0.txt
Author: trawick
Date: Thu May 13 19:31:46 2010
New Revision: 134
Log:
mod_proxy_ftp patch for CVE-2009-3095, following httpd/2.0.x commit
in r943980
Added:
release/httpd/patches/apply_to_2.0.63/CVE-2009-3095-patch-2.0.txt
Added: release/httpd/patches/apply_to_2.0.63/CVE-2009-3095-patch-2.0.txt
==============================================================================
--- release/httpd/patches/apply_to_2.0.63/CVE-2009-3095-patch-2.0.txt (added)
+++ release/httpd/patches/apply_to_2.0.63/CVE-2009-3095-patch-2.0.txt Thu May 13 19:31:46 2010
@@ -0,0 +1,24 @@
+# SECURITY: CVE-2009-3095 (cve.mitre.org)
+# mod_proxy_ftp: sanity check authn credentials.
+# [Stefan Fritsch <sf fritsch.de>, Joe Orton]
+# Reviewed by: pgollucci, poirier, rjung, trawick
+# Backports: r814045 from trunk
+#
+# /httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c
+#
+Index: modules/proxy/proxy_ftp.c
+===================================================================
+--- modules/proxy/proxy_ftp.c (revision 943979)
++++ modules/proxy/proxy_ftp.c (revision 943980)
+@@ -890,6 +890,11 @@
+ if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL
+ && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0
+ && (password = ap_pbase64decode(r->pool, password))[0] != ':') {
++ /* Check the decoded string for special characters. */
++ if (!ftp_check_string(password)) {
++ return ap_proxyerror(r, HTTP_BAD_REQUEST,
++ "user credentials contained invalid character");
++ }
+ /*
+ * Note that this allocation has to be made from r->connection->pool
+ * because it has the lifetime of the connection. The other