Security fix - this is presumed to fix CVE-2009-3095 (the disclosed

information was limited so this has not been confirmed):

* modules/proxy/mod_proxy_ftp.c (proxy_ftp_handler): Fail if the
  decoded Basic credentials contain "special" characters.
  Thanks to Stefan Fritsch for analysis of this issue.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@814045 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
index 582cdc9ecf75060d0c0227a320ef97b226313a9a..1caa604dcb0a52fde5ee8850f3378fe688920a62 100644 (file)
--- a/modules/proxy/mod_proxy_ftp.c
+++ b/modules/proxy/mod_proxy_ftp.c
@@ -968,6 +968,11 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
     if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL
         && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0
         && (password = ap_pbase64decode(r->pool, password))[0] != ':') {
+        /* Check the decoded string for special characters. */
+        if (!ftp_check_string(password)) {
+            return ap_proxyerror(r, HTTP_BAD_REQUEST, 
+                                 "user credentials contained invalid character");
+        } 
         /*
          * Note that this allocation has to be made from r->connection->pool
          * because it has the lifetime of the connection.  The other