From eff89967da38d1a76ce6793430dfbc7ff29f0944 Mon Sep 17 00:00:00 2001 From: Graham Leggett Date: Mon, 14 Sep 2009 20:53:28 +0000 Subject: [PATCH] Backport 814045 CVE-2009-3095: mod_proxy_ftp sanity check authn credentials. Submitted by: Stefan Fritsch , Joe Orton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@814847 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ modules/proxy/mod_proxy_ftp.c | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/CHANGES b/CHANGES index fca3956df3a..3a4057c43d6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@  -*- coding: utf-8 -*- Changes with Apache 2.2.14 + *) CVE-2009-3095: mod_proxy_ftp sanity check authn credentials. + [Stefan Fritsch , Joe Orton] + *) CVE-2009-3094: mod_proxy_ftp NULL pointer dereference on error paths. [Stefan Fritsch , Joe Orton] diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c index fdcfc6a0ff2..924ac310178 100644 --- a/modules/proxy/mod_proxy_ftp.c +++ b/modules/proxy/mod_proxy_ftp.c @@ -912,6 +912,11 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker, if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0 && (password = ap_pbase64decode(r->pool, password))[0] != ':') { + /* Check the decoded string for special characters. */ + if (!ftp_check_string(password)) { + return ap_proxyerror(r, HTTP_BAD_REQUEST, + "user credentials contained invalid character"); + } /* * Note that this allocation has to be made from r->connection->pool * because it has the lifetime of the connection. The other -- 2.47.2