From 3efccf4239e0a576d7667c95d61c4a618af32916 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Tue, 25 May 2004 12:09:01 +0000 Subject: [PATCH] * modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Fix buffer overflow in FakeBasicAuth code if client's subject DN exceeds 6K in length (CVE CAN-2004-0488); switch to using apr-util base64 encoder functions. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103754 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_kernel.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 7a234da63a..538612cb25 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -807,7 +807,6 @@ int ssl_hook_UserCheck(request_rec *r) SSLConnRec *sslconn = myConnConfig(r->connection); SSLSrvConfigRec *sc = mySrvConfig(r->server); SSLDirConfigRec *dc = myDirConfig(r); - char buf1[MAX_STRING_LEN], buf2[MAX_STRING_LEN]; char *clientdn; const char *auth_line, *username, *password; @@ -886,14 +885,16 @@ int ssl_hook_UserCheck(request_rec *r) * adding the string "xxj31ZMTZzkVA" as the password in the user file. * This is just the crypted variant of the word "password" ;-) */ - apr_snprintf(buf1, sizeof(buf1), "%s:password", clientdn); - ssl_util_uuencode(buf2, buf1, FALSE); - - apr_snprintf(buf1, sizeof(buf1), "Basic %s", buf2); - apr_table_set(r->headers_in, "Authorization", buf1); + auth_line = apr_pstrcat(r->pool, "Basic ", + ap_pbase64encode(r->pool, + apr_pstrcat(r->pool, clientdn, + ":password", NULL)), + NULL); + apr_table_set(r->headers_in, "Authorization", auth_line); ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, - "Faking HTTP Basic Auth header: \"Authorization: %s\"", buf1); + "Faking HTTP Basic Auth header: \"Authorization: %s\"", + auth_line); return DECLINED; } -- 2.40.0