You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2010/05/13 21:18:50 UTC
svn commit: r943980 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS
modules/proxy/proxy_ftp.c
Author: trawick
Date: Thu May 13 19:18:50 2010
New Revision: 943980
URL: http://svn.apache.org/viewvc?rev=943980&view=rev
Log:
merge r814045 from trunk (2.2.x rev 814847):
CVE-2009-3095: mod_proxy_ftp sanity check authn credentials.
Submitted by: Stefan Fritsch <sf fritsch.de>, Joe Orton
Reviewed by: pgollucci, poirier, rjung, trawick
Modified:
httpd/httpd/branches/2.0.x/CHANGES
httpd/httpd/branches/2.0.x/STATUS
httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c
Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=943980&r1=943979&r2=943980&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Thu May 13 19:18:50 2010
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.0.64
+ *) SECURITY: CVE-2009-3095 (cve.mitre.org)
+ mod_proxy_ftp: sanity check authn credentials.
+ [Stefan Fritsch <sf fritsch.de>, Joe Orton]
+
*) SECURITY: CVE-2009-3094 (cve.mitre.org)
mod_proxy_ftp: NULL pointer dereference on error paths.
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=943980&r1=943979&r2=943980&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Thu May 13 19:18:50 2010
@@ -125,13 +125,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
http://people.apache.org/~fuankg/diffs/httpd-2.0.x-ap_vhost_iterate_given_conn.diff
+1: fuankg, wrowe, pgollucci
- * mod_proxy_ftp, CVE-2009-3095, sanity check authn credentials
- Patch in 2.2.x branch:
- http://svn.apache.org/viewvc?view=revision&revision=814847
- Backport:
- http://people.apache.org/~trawick/CVE-2009-3095-2.0.txt
- +1: pgollucci, poirier, rjung, trawick
-
* core output filter, CVE-2009-1891, consuming CPU after client disconnects
Patch in 2.2.x branch:
http://svn.apache.org/viewvc?view=revision&revision=791454
Modified: httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c?rev=943980&r1=943979&r2=943980&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c (original)
+++ httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c Thu May 13 19:18:50 2010
@@ -890,6 +890,11 @@ int ap_proxy_ftp_handler(request_rec *r,
if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL
&& strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0
&& (password = ap_pbase64decode(r->pool, password))[0] != ':') {
+ /* Check the decoded string for special characters. */
+ if (!ftp_check_string(password)) {
+ return ap_proxyerror(r, HTTP_BAD_REQUEST,
+ "user credentials contained invalid character");
+ }
/*
* Note that this allocation has to be made from r->connection->pool
* because it has the lifetime of the connection. The other