diff options
Diffstat (limited to 'www/apache22/patches/patch-ab')
| -rw-r--r-- | www/apache22/patches/patch-ab | 116 |
1 files changed, 0 insertions, 116 deletions
diff --git a/www/apache22/patches/patch-ab b/www/apache22/patches/patch-ab deleted file mode 100644 index 910c2b6c7c3..00000000000 --- a/www/apache22/patches/patch-ab +++ /dev/null @@ -1,116 +0,0 @@ -$NetBSD: patch-ab,v 1.14 2009/10/04 12:21:35 tron Exp $ - -Fixes for CVE-2009-3094 and CVE-2009-3095 taken from the Apache SVN repository: - -http://svn.apache.org/viewvc?view=rev&revision=814844 -http://svn.apache.org/viewvc?view=rev&revision=814847 - ---- modules/proxy/mod_proxy_ftp.c.orig 2008-11-11 20:04:34.000000000 +0000 -+++ modules/proxy/mod_proxy_ftp.c 2009-10-04 12:49:43.000000000 +0100 -@@ -604,6 +604,31 @@ - return APR_SUCCESS; - } - -+/* Parse EPSV reply and return port, or zero on error. Modifies -+ * 'reply'. */ -+static apr_port_t parse_epsv_reply(char *reply) -+{ -+ char *p, *ep; -+ long port; -+ -+ /* Reply syntax per RFC 2428: "229 blah blah (|||port|)" where '|' -+ * can be any character in ASCII from 33-126, obscurely. Verify -+ * the syntax. */ -+ p = ap_strchr(reply, '('); -+ if (p == NULL || !p[0] || !p[1] || p[1] != p[2] || p[1] != p[3] -+ || p[4] == p[1]) { -+ return 0; -+ } -+ -+ errno = 0; -+ port = strtol(p + 4, &ep, 10); -+ if (errno || port < 1 || port > 65535 || ep[0] != p[1] || ep[1] != ')') { -+ return 0; -+ } -+ -+ return (apr_port_t)port; -+} -+ - /* - * Generic "send FTP command to server" routine, using the control socket. - * Returns the FTP returncode (3 digit code) -@@ -887,6 +912,11 @@ - if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL - && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0 - && (password = ap_pbase64decode(r->pool, password))[0] != ':') { -+ /* Check the decoded string for special characters. */ -+ if (!ftp_check_string(password)) { -+ return ap_proxyerror(r, HTTP_BAD_REQUEST, -+ "user credentials contained invalid character"); -+ } - /* - * Note that this allocation has to be made from r->connection->pool - * because it has the lifetime of the connection. The other -@@ -1210,26 +1240,11 @@ - return ftp_proxyerror(r, backend, HTTP_BAD_GATEWAY, ftpmessage); - } - else if (rc == 229) { -- char *pstr; -- char *tok_cntx; -+ /* Parse the port out of the EPSV reply. */ -+ data_port = parse_epsv_reply(ftpmessage); - -- pstr = ftpmessage; -- pstr = apr_strtok(pstr, " ", &tok_cntx); /* separate result code */ -- if (pstr != NULL) { -- if (*(pstr + strlen(pstr) + 1) == '=') { -- pstr += strlen(pstr) + 2; -- } -- else { -- pstr = apr_strtok(NULL, "(", &tok_cntx); /* separate address & -- * port params */ -- if (pstr != NULL) -- pstr = apr_strtok(NULL, ")", &tok_cntx); -- } -- } -- -- if (pstr) { -+ if (data_port) { - apr_sockaddr_t *epsv_addr; -- data_port = atoi(pstr + 3); - - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, - "proxy: FTP: EPSV contacting remote host on port %d", -@@ -1272,10 +1287,6 @@ - connect = 1; - } - } -- else { -- /* and try the regular way */ -- apr_socket_close(data_sock); -- } - } - } - -@@ -1364,10 +1375,6 @@ - connect = 1; - } - } -- else { -- /* and try the regular way */ -- apr_socket_close(data_sock); -- } - } - } - /*bypass:*/ -@@ -1851,7 +1858,9 @@ - * for a slow client to eat these bytes - */ - ap_flush_conn(data); -- apr_socket_close(data_sock); -+ if (data_sock) { -+ apr_socket_close(data_sock); -+ } - data_sock = NULL; - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, - "proxy: FTP: data connection closed"); |