httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: CVE-2009-3094, CVE-2009-3095: mod_proxy_ftp issues
Date Mon, 14 Sep 2009 14:18:57 GMT
On Sat, Sep 12, 2009 at 10:43:29PM +0200, Stefan Fritsch wrote:
> On Fri, 11 Sep 2009, Joe Orton wrote:
>> +    char *p = ap_strchr(reply, '('), *ep, *term;
>> +    long port;
>> +
>> +    /* Reply syntax per RFC 2428: "229 blah blah (|||port|)" where '|'
>> +     * can be any character in ASCII from 33-126, obscurely.  Verify
>> +     * the syntax. */
>> +    if (p == NULL || p[1] != p[2] || p[1] != p[3]
>> +        || (ep = strchr(p + 4, ')')) == NULL
>> +        || ep == p + 4 || ep[-1] != p[1]) {
>> +        return 0;
>> +    }
>
> Shouldn't you also check for p[1] != 0 before p[1] != p[2], to catch the  
> case where reply ends after the opening bracket?

Yes indeed!  Thanks a lot.  I've rewritten that code slightly, tested 
again, and committed here:

  http://svn.apache.org/viewvc?view=rev&revision=814652

I've not touched the PASV code in that commit, since there doesn't seem 
to be a security issue there, ugly as the code is.

Regards, Joe

Mime
View raw message