From 157c02da3e2df68a9c99b8224af6fd8ab39cf025 Mon Sep 17 00:00:00 2001
From: Jeff Trawick <trawick@apache.org>
Date: Thu, 13 May 2010 19:18:50 +0000
Subject: [PATCH] merge r814045 from trunk (2.2.x rev 814847):

CVE-2009-3095: mod_proxy_ftp sanity check authn credentials.
Submitted by: Stefan Fritsch <sf fritsch.de>, Joe Orton

Reviewed by: pgollucci, poirier, rjung, trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@943980 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                   | 4 ++++
 STATUS                    | 7 -------
 modules/proxy/proxy_ftp.c | 5 +++++
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6cc68bbefd9..287b41540e5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.64
 
+  *) SECURITY: CVE-2009-3095 (cve.mitre.org)
+     mod_proxy_ftp: sanity check authn credentials.
+     [Stefan Fritsch <sf fritsch.de>, Joe Orton]
+
   *) SECURITY: CVE-2009-3094 (cve.mitre.org)
      mod_proxy_ftp: NULL pointer dereference on error paths.
      [Stefan Fritsch <sf fritsch.de>, Joe Orton]
diff --git a/STATUS b/STATUS
index b3867b8aae2..b78ef780fa3 100644
--- a/STATUS
+++ b/STATUS
@@ -125,13 +125,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
        http://people.apache.org/~fuankg/diffs/httpd-2.0.x-ap_vhost_iterate_given_conn.diff
     +1: fuankg, wrowe, pgollucci
 
-  * mod_proxy_ftp, CVE-2009-3095, sanity check authn credentials
-    Patch in 2.2.x branch:
-      http://svn.apache.org/viewvc?view=revision&revision=814847
-    Backport:
-      http://people.apache.org/~trawick/CVE-2009-3095-2.0.txt
-    +1: pgollucci, poirier, rjung, trawick
-
   * core output filter, CVE-2009-1891, consuming CPU after client disconnects
     Patch in 2.2.x branch:
       http://svn.apache.org/viewvc?view=revision&revision=791454
diff --git a/modules/proxy/proxy_ftp.c b/modules/proxy/proxy_ftp.c
index 16abbdd226e..cbbf23c9189 100644
--- a/modules/proxy/proxy_ftp.c
+++ b/modules/proxy/proxy_ftp.c
@@ -890,6 +890,11 @@ int ap_proxy_ftp_handler(request_rec *r, proxy_server_conf *conf,
     if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL
         && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0
         && (password = ap_pbase64decode(r->pool, password))[0] != ':') {
+        /* Check the decoded string for special characters. */
+        if (!ftp_check_string(password)) {
+            return ap_proxyerror(r, HTTP_BAD_REQUEST, 
+                                 "user credentials contained invalid character");
+        } 
         /*
          * Note that this allocation has to be made from r->connection->pool
          * because it has the lifetime of the connection.  The other
-- 
2.47.2