git.infodrom.org Git - debian/mod-auth-mysql/blob - debian/patches/013-CVE-2008-2384_charset.dpatch

   1 #! /bin/sh /usr/share/dpatch/dpatch-run
   2 ## 013-CVE-2008-2384_charset.dpatch by  <joey@localhost>
   3 ##
   4 ## All lines beginning with `## DP:' are a description of the patch.
   5 ## DP: Fix CVE-2008-2384: Encode strings securely via mysql_real_escape_string()
   6
   7 @DPATCH@
   8 diff -urNad mod-auth-mysql~/mod_auth_mysql.c mod-auth-mysql/mod_auth_mysql.c
   9 --- mod-auth-mysql~/mod_auth_mysql.c    2009-01-07 21:47:20.000000000 +0100
  10 +++ mod-auth-mysql/mod_auth_mysql.c     2009-01-08 21:12:47.000000000 +0100
  11 @@ -340,6 +340,8 @@ typedef struct {
  12
  13  module auth_mysql_module;
  14
  15 +static int open_auth_dblink(request_rec *r, mysql_auth_config_rec *sec);
  16 +
  17  #ifdef APACHE2
  18  static apr_status_t
  19  #else
  20 @@ -506,9 +508,9 @@ static const char *set_scrambled_passwor
  21   * server when passed in as part of a query.
  22   */
  23  #ifdef APACHE2
  24 -static char *mysql_escape(char *str, apr_pool_t *p)
  25 +static char *mysql_escape(mysql_auth_config_rec *sec, request_rec *r, char *str, apr_pool_t *p)
  26  #else
  27 -static char *mysql_escape(char *str, pool *p)
  28 +static char *mysql_escape(mysql_auth_config_rec *sec, request_rec *r, char *str, pool *p)
  29  #endif
  30  {
  31         char *dest;
  32 @@ -522,7 +524,7 @@ static char *mysql_escape(char *str, poo
  33                 return str;
  34         }
  35
  36 -       mysql_escape_string(dest, str, strlen(str));
  37 +       mysql_real_escape_string(sec->dbh, dest, str, strlen(str));
  38
  39         return dest;
  40  }
  41 @@ -1374,25 +1376,18 @@ static int open_auth_dblink(request_rec
  42         }
  43
  44         if (sec->db_charset) {
  45 +               const char *check;
  46 +
  47                 APACHELOG(APLOG_DEBUG, r,
  48                         "Setting character set to %s", sec->db_charset);
  49
  50 -               query = (char *) PSTRCAT(r->pool, "SET CHARACTER SET ", sec->db_charset, NULL);
  51 -               if (!query) {
  52 -                       APACHELOG(APLOG_ERR, r,
  53 -                               "Failed to create query string - we're no good...");
  54 -                       return -1;
  55 -               }
  56 +               mysql_set_character_set(sec->dbh, sec->db_charset);
  57
  58 -               if (mysql_query(sec->dbh, query)) {
  59 -                       if (sec->dbh)
  60 -                       {
  61 -                               APACHELOG(APLOG_ERR, r,
  62 -                                       "Query call failed: %s (%i)", mysql_error(sec->dbh),
  63 -                                       mysql_errno(sec->dbh));
  64 -                       }
  65 +               check = mysql_character_set_name(sec->dbh);
  66
  67 -                       APACHELOG(APLOG_DEBUG, r, "Failed query was: [%s]", query);
  68 +               if (!check || strcmp(sec->db_charset, check)) {
  69 +                       APACHELOG(APLOG_ERR, r,
  70 +                               "Failed to set character set to %s", sec->db_charset);
  71                         return -1;
  72                 }
  73         }
  74 @@ -1537,11 +1532,27 @@ static int mysql_check_user_password(req
  75         char *auth_table = "mysql_auth", *auth_user_field = "username",
  76                 *auth_password_field = "passwd", *auth_password_clause = "";
  77         char *query;
  78 -       char *esc_user = mysql_escape(user, r->pool);
  79 +       char *esc_user = NULL;
  80         MYSQL_RES *result;
  81         MYSQL_ROW sql_row;
  82 +       int error = CR_UNKNOWN_ERROR;
  83         int rv;
  84
  85 +       if (!sec->dbh) {
  86 +               APACHELOG(APLOG_DEBUG, r,
  87 +                       "No DB connection open - firing one up");
  88 +               if ((error = open_auth_dblink(r, sec))) {
  89 +                       APACHELOG(APLOG_DEBUG, r,
  90 +                               "open_auth_dblink returned %i", error);
  91 +                       return error;
  92 +               }
  93 +
  94 +               APACHELOG(APLOG_DEBUG, r,
  95 +                       "Correctly opened a new DB connection");
  96 +       }
  97 +
  98 +       esc_user = mysql_escape(sec, r, user, r->pool);
  99 +
 100         if (sec->user_table) {
 101                 auth_table = sec->user_table;
 102         }
 103 @@ -1627,8 +1638,8 @@ static int mysql_check_group(request_rec
 104  {
 105         char *auth_table = "mysql_auth", *auth_group_field="groups", *auth_group_clause="";
 106         char *query;
 107 -       char *esc_user = mysql_escape(user, r->pool);
 108 -       char *esc_group = mysql_escape(group, r->pool);
 109 +       char *esc_user = mysql_escape(sec, r, user, r->pool);
 110 +       char *esc_group = mysql_escape(sec, r, group, r->pool);
 111         MYSQL_RES *result;
 112         MYSQL_ROW row;
 113         char *auth_user_field = "username";