On Wed, Jun 30, 2004 at 10:59:01PM -0500, Edward Rudd wrote:
> On Wed, 30 Jun 2004 20:58:32 -0500, Albert Chin wrote:
>
> > If 2.0.50 addresses "one security vulnerability", why are two listed?
> > I thought CAN-2004-0488 was for 1.3.x?
>
> Someone probably miscounted.. And CAN-2004-0488 applied to mod_ssl for
> 1.3.x AND for mod_ssl in 2.0.x.
Ok, thanks. I presume the patch below fixes CAN-2004-0488. According
to the description for CAN-2004-0488, the buffer overflow is in
ssl_util_uuencode_binary(), found in ssl_util.c. However, ssl_utils.c
has remained virtually the same between 2.0.48 and 2.0.50.
--
albert chin ([EMAIL PROTECTED])
-- snip snip
--- modules/ssl/ssl_engine_kernel.c.orig Wed Jun 30 21:14:30 2004
+++ modules/ssl/ssl_engine_kernel.c Wed Jun 30 21:14:32 2004
@@ -793,7 +793,6 @@
SSLConnRec *sslconn = myConnConfig(r->connection);
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
- char buf1[MAX_STRING_LEN], buf2[MAX_STRING_LEN];
char *clientdn;
const char *auth_line, *username, *password;
@@ -872,14 +871,16 @@
* adding the string "xxj31ZMTZzkVA" as the password in the user file.
* This is just the crypted variant of the word "password" ;-)
*/
- apr_snprintf(buf1, sizeof(buf1), "%s:password", clientdn);
- ssl_util_uuencode(buf2, buf1, FALSE);
-
- apr_snprintf(buf1, sizeof(buf1), "Basic %s", buf2);
- apr_table_set(r->headers_in, "Authorization", buf1);
+ auth_line = apr_pstrcat(r->pool, "Basic ",
+ ap_pbase64encode(r->pool,
+ apr_pstrcat(r->pool, clientdn,
+ ":password", NULL)),
+ NULL);
+ apr_table_set(r->headers_in, "Authorization", auth_line);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
- "Faking HTTP Basic Auth header: \"Authorization: %s\"", buf1);
+ "Faking HTTP Basic Auth header: \"Authorization: %s\"",
+ auth_line);
return DECLINED;
}
