From 9e3a6125eb23542ed7be7550e6b140330496bab1 Mon Sep 17 00:00:00 2001
From: novel <novel@FreeBSD.org>
Date: Mon, 26 Sep 2005 11:38:08 +0000
Subject: Fix insecure use of popen().

Obtained from:	wzdftpd-security maillist
---
 ftp/wzdftpd/Makefile              |  1 +
 ftp/wzdftpd/files/patch-popen-bug | 62 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100644 ftp/wzdftpd/files/patch-popen-bug

(limited to 'ftp')

diff --git a/ftp/wzdftpd/Makefile b/ftp/wzdftpd/Makefile
index d7c63a8051b2..804919d044d4 100644
--- a/ftp/wzdftpd/Makefile
+++ b/ftp/wzdftpd/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	wzdftpd
 PORTVERSION=	0.5.4
+PORTREVISION=	1
 CATEGORIES=	ftp ipv6
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
diff --git a/ftp/wzdftpd/files/patch-popen-bug b/ftp/wzdftpd/files/patch-popen-bug
new file mode 100644
index 000000000000..f9896c22cf24
--- /dev/null
+++ b/ftp/wzdftpd/files/patch-popen-bug
@@ -0,0 +1,62 @@
+--- src/wzd_mod.c.orig	2005-09-26 09:34:42.000000000 +0200
++++ src/wzd_mod.c	2005-09-26 09:46:41.000000000 +0200
+@@ -102,6 +102,7 @@
+ } protocol_handler_t;
+ 
+ static int _hook_print_file(const char *filename, wzd_context_t *context);
++void _cleanup_shell_command(char * buffer, size_t length);
+ 
+ static protocol_handler_t * proto_handler_list=NULL;
+ static unsigned int _reply_code;
+@@ -378,6 +379,8 @@
+   {
+     *(buffer+l_command++) = ' ';
+     (void)wzd_strncpy(buffer + l_command, buffer_args, sizeof(buffer) - l_command - 1);
++    /* SECURITY filter buffer for shell special characters ! */
++    _cleanup_shell_command(buffer,sizeof(buffer));
+     if ( (command_output = popen(buffer,"r")) == NULL ) {
+       out_log(LEVEL_HIGH,"Hook '%s': unable to popen\n",hook->external_command);
+       return 1;
+@@ -438,6 +441,8 @@
+   else
+   {
+ /*    *(buffer+l_command++) = ' ';*/
++    /* SECURITY filter buffer for shell special characters ! */
++    _cleanup_shell_command(buffer,sizeof(buffer));
+     if ( (command_output = popen(buffer,"r")) == NULL ) {
+       out_log(LEVEL_HIGH,"Hook '%s': unable to popen\n",hook->external_command);
+       return 1;
+@@ -733,6 +738,8 @@
+ }
+ 
+ 
++/*************** STATIC ****************/
++
+ static int _hook_print_file(const char *filename, wzd_context_t *context)
+ {
+   wzd_cache_t * fp;
+@@ -765,3 +772,24 @@
+ 
+   return 0;
+ }
++
++void _cleanup_shell_command(char * buffer, size_t length)
++{
++  const char * specials = "$\\|;!`()'\"#.,:*?{}[]&<>-~";
++  size_t i,j;
++  char * buf2;
++
++  buf2 = wzd_malloc(length);
++
++  for (i=0,j=0; buffer[i]!='\0' && i<length && j<length; i++,j++) {
++    if (strchr(specials,buffer[i]) != NULL) {
++      if (j+1 >= length) { buf2[j]='\0'; break; }
++      buf2[j++] = '\\';
++    }
++    buf2[j] = buffer[i];
++  }
++
++  wzd_strncpy(buffer,buf2,length);
++  wzd_free(buf2);
++}
++
-- 
cgit