You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2010/05/13 21:18:50 UTC

svn commit: r943980 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS modules/proxy/proxy_ftp.c

Author: trawick
Date: Thu May 13 19:18:50 2010
New Revision: 943980

URL: http://svn.apache.org/viewvc?rev=943980&view=rev
Log:
merge r814045 from trunk (2.2.x rev 814847):

CVE-2009-3095: mod_proxy_ftp sanity check authn credentials.
Submitted by: Stefan Fritsch <sf fritsch.de>, Joe Orton

Reviewed by: pgollucci, poirier, rjung, trawick

Modified:
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/STATUS
    httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=943980&r1=943979&r2=943980&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Thu May 13 19:18:50 2010
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.64
 
+  *) SECURITY: CVE-2009-3095 (cve.mitre.org)
+     mod_proxy_ftp: sanity check authn credentials.
+     [Stefan Fritsch <sf fritsch.de>, Joe Orton]
+
   *) SECURITY: CVE-2009-3094 (cve.mitre.org)
      mod_proxy_ftp: NULL pointer dereference on error paths.
      [Stefan Fritsch <sf fritsch.de>, Joe Orton]

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=943980&r1=943979&r2=943980&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Thu May 13 19:18:50 2010
@@ -125,13 +125,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
        http://people.apache.org/~fuankg/diffs/httpd-2.0.x-ap_vhost_iterate_given_conn.diff
     +1: fuankg, wrowe, pgollucci
 
-  * mod_proxy_ftp, CVE-2009-3095, sanity check authn credentials
-    Patch in 2.2.x branch:
-      http://svn.apache.org/viewvc?view=revision&revision=814847
-    Backport:
-      http://people.apache.org/~trawick/CVE-2009-3095-2.0.txt
-    +1: pgollucci, poirier, rjung, trawick
-
   * core output filter, CVE-2009-1891, consuming CPU after client disconnects
     Patch in 2.2.x branch:
       http://svn.apache.org/viewvc?view=revision&revision=791454

Modified: httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c?rev=943980&r1=943979&r2=943980&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c (original)
+++ httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c Thu May 13 19:18:50 2010
@@ -890,6 +890,11 @@ int ap_proxy_ftp_handler(request_rec *r,
     if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL
         && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0
         && (password = ap_pbase64decode(r->pool, password))[0] != ':') {
+        /* Check the decoded string for special characters. */
+        if (!ftp_check_string(password)) {
+            return ap_proxyerror(r, HTTP_BAD_REQUEST, 
+                                 "user credentials contained invalid character");
+        } 
         /*
          * Note that this allocation has to be made from r->connection->pool
          * because it has the lifetime of the connection.  The other