Backport 814045

CVE-2009-3095: mod_proxy_ftp sanity check authn credentials.
Submitted by: Stefan Fritsch <sf fritsch.de>, Joe Orton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@814847 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index fca3956df3af168ba8a6369bf6d69c0a455d0e3b..3a4057c43d6c80159cee5812ebcc645c197049f8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.14
 
+  *) CVE-2009-3095: mod_proxy_ftp sanity check authn credentials.
+     [Stefan Fritsch <sf fritsch.de>, Joe Orton]
+
   *) CVE-2009-3094: mod_proxy_ftp NULL pointer dereference on error paths.
      [Stefan Fritsch <sf fritsch.de>, Joe Orton]
 

diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
index fdcfc6a0ff2373b6c2edf1db297bdc21871c86db..924ac31017848295354b0c0921dd2e5ce69a593f 100644 (file)
--- a/modules/proxy/mod_proxy_ftp.c
+++ b/modules/proxy/mod_proxy_ftp.c
@@ -912,6 +912,11 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
     if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL
         && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0
         && (password = ap_pbase64decode(r->pool, password))[0] != ':') {
+        /* Check the decoded string for special characters. */
+        if (!ftp_check_string(password)) {
+            return ap_proxyerror(r, HTTP_BAD_REQUEST, 
+                                 "user credentials contained invalid character");
+        } 
         /*
          * Note that this allocation has to be made from r->connection->pool
          * because it has the lifetime of the connection.  The other