You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2004/05/25 14:09:01 UTC
cvs commit: httpd-2.0/modules/ssl ssl_engine_kernel.c
jorton 2004/05/25 05:09:01
Modified: modules/ssl ssl_engine_kernel.c
Log:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Fix buffer
overflow in FakeBasicAuth code if client's subject DN exceeds 6K in
length (CVE CAN-2004-0488); switch to using apr-util base64 encoder
functions.
Revision Changes Path
1.106 +8 -7 httpd-2.0/modules/ssl/ssl_engine_kernel.c
Index: ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.105
retrieving revision 1.106
diff -d -u -r1.105 -r1.106
--- ssl_engine_kernel.c 5 Mar 2004 02:44:40 -0000 1.105
+++ ssl_engine_kernel.c 25 May 2004 12:09:01 -0000 1.106
@@ -807,7 +807,6 @@
SSLConnRec *sslconn = myConnConfig(r->connection);
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
- char buf1[MAX_STRING_LEN], buf2[MAX_STRING_LEN];
char *clientdn;
const char *auth_line, *username, *password;
@@ -886,14 +885,16 @@
* adding the string "xxj31ZMTZzkVA" as the password in the user file.
* This is just the crypted variant of the word "password" ;-)
*/
- apr_snprintf(buf1, sizeof(buf1), "%s:password", clientdn);
- ssl_util_uuencode(buf2, buf1, FALSE);
-
- apr_snprintf(buf1, sizeof(buf1), "Basic %s", buf2);
- apr_table_set(r->headers_in, "Authorization", buf1);
+ auth_line = apr_pstrcat(r->pool, "Basic ",
+ ap_pbase64encode(r->pool,
+ apr_pstrcat(r->pool, clientdn,
+ ":password", NULL)),
+ NULL);
+ apr_table_set(r->headers_in, "Authorization", auth_line);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
- "Faking HTTP Basic Auth header: \"Authorization: %s\"", buf1);
+ "Faking HTTP Basic Auth header: \"Authorization: %s\"",
+ auth_line);
return DECLINED;
}