From: Graham Leggett Date: Mon, 14 Sep 2009 20:53:28 +0000 (+0000) Subject: Backport 814045 X-Git-Tag: 2.2.14~43 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eff89967da38d1a76ce6793430dfbc7ff29f0944;p=thirdparty%2Fapache%2Fhttpd.git Backport 814045 CVE-2009-3095: mod_proxy_ftp sanity check authn credentials. Submitted by: Stefan Fritsch , Joe Orton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@814847 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index fca3956df3a..3a4057c43d6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@  -*- coding: utf-8 -*- Changes with Apache 2.2.14 + *) CVE-2009-3095: mod_proxy_ftp sanity check authn credentials. + [Stefan Fritsch , Joe Orton] + *) CVE-2009-3094: mod_proxy_ftp NULL pointer dereference on error paths. [Stefan Fritsch , Joe Orton] diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c index fdcfc6a0ff2..924ac310178 100644 --- a/modules/proxy/mod_proxy_ftp.c +++ b/modules/proxy/mod_proxy_ftp.c @@ -912,6 +912,11 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker, if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0 && (password = ap_pbase64decode(r->pool, password))[0] != ':') { + /* Check the decoded string for special characters. */ + if (!ftp_check_string(password)) { + return ap_proxyerror(r, HTTP_BAD_REQUEST, + "user credentials contained invalid character"); + } /* * Note that this allocation has to be made from r->connection->pool * because it has the lifetime of the connection. The other