From: Joe Orton Date: Fri, 17 Nov 2017 17:14:32 +0000 (+0000) Subject: * modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Check username X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0b9b299354762554e3353e23f21455fef62e7257;p=apache * modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Check username does not contain a colon before constructing Authorization header for FakeBasicAuth mode. (Also constify 'user' variable.) PR: 52644 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1815592 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index e335b2d89c..1f6774e9e2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_ssl: Fail with 403 if the username for FakeBasicAuth mode + includes a colon character. PR 52644. [Joe Orton] + *) mod_md: v1.0.3, fixed various bugs in persisting job properties, so that status is persisted accross child process changes and staging is reset on reloads. Changed MDCertificateAgreement url checks. As long as the CA reports that the account has diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index d9b5bf9f04..220232e590 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1181,8 +1181,7 @@ int ssl_hook_UserCheck(request_rec *r) SSLConnRec *sslconn = myConnConfig(r->connection); SSLSrvConfigRec *sc = mySrvConfig(r->server); SSLDirConfigRec *dc = myDirConfig(r); - char *user; - const char *auth_line, *username, *password; + const char *user, *auth_line, *username, *password; /* * Additionally forbid access (again) @@ -1258,7 +1257,14 @@ int ssl_hook_UserCheck(request_rec *r) } } else { - user = (char *)sslconn->client_dn; + user = sslconn->client_dn; + } + + if (ap_strchr_c(user, ':') != NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10096) + "Cannot use FakeBasicAuth for username " + "containing a colon: %s", user); + return HTTP_FORBIDDEN; } /*