Commit cac1ec32 authored by Joe Orton's avatar Joe Orton
Browse files

* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Fix buffer 

overflow in FakeBasicAuth code if client's subject DN exceeds 6K in
length (CVE CAN-2004-0488); switch to using apr-util base64 encoder
functions.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103754 13f79535-47bb-0310-9956-ffa450edef68
parent 1380d507

ssl_engine_kernel.c

+8 −7
Original line number Diff line number Diff line
@@ -807,7 +807,6 @@ int ssl_hook_UserCheck(request_rec *r) 
    SSLConnRec *sslconn = myConnConfig(r->connection);

    SSLSrvConfigRec *sc = mySrvConfig(r->server);

    SSLDirConfigRec *dc = myDirConfig(r);

    char buf1[MAX_STRING_LEN], buf2[MAX_STRING_LEN];

    char *clientdn;

    const char *auth_line, *username, *password;
@@ -886,14 +885,16 @@ int ssl_hook_UserCheck(request_rec *r) 
     * adding the string "xxj31ZMTZzkVA" as the password in the user file.

     * This is just the crypted variant of the word "password" ;-)

     */

    apr_snprintf(buf1, sizeof(buf1), "%s:password", clientdn);

    ssl_util_uuencode(buf2, buf1, FALSE);



    apr_snprintf(buf1, sizeof(buf1), "Basic %s", buf2);

    apr_table_set(r->headers_in, "Authorization", buf1);

    auth_line = apr_pstrcat(r->pool, "Basic ", 

                            ap_pbase64encode(r->pool, 

                                             apr_pstrcat(r->pool, clientdn, 

                                                         ":password", NULL)),

                            NULL);

    apr_table_set(r->headers_in, "Authorization", auth_line);



    ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,

                 "Faking HTTP Basic Auth header: \"Authorization: %s\"", buf1);

                 "Faking HTTP Basic Auth header: \"Authorization: %s\"",

                 auth_line);



    return DECLINED;

}