Fix CVE-2008-2384: Encode strings securely via
authorJoey Schulze <joey@infodrom.org>
Wed, 21 Jan 2009 17:58:33 +0000 (17:58 +0000)
committerJoey Schulze <joey@infodrom.org>
Wed, 21 Jan 2009 17:58:33 +0000 (17:58 +0000)
mysql_real_escape_string [013-CVE-2008-2384_charset.dpatch]

debian/changelog
debian/patches/00list
debian/patches/013-CVE-2008-2384_charset.dpatch [new file with mode: 0644]

index 00020ee..7cc082f 100644 (file)
@@ -2,8 +2,10 @@ mod-auth-mysql (4.3.9-11) unstable; urgency=low
 
   * Change section web to net
   * Bumped standards version
+  * Fix CVE-2008-2384: Encode strings securely via
+    mysql_real_escape_string [013-CVE-2008-2384_charset.dpatch]
 
- --
+ -- Joey Schulze <joey@infodrom.org>  Wed, 21 Jan 2009 18:58:04 +0100
 
 mod-auth-mysql (4.3.9-10) unstable; urgency=low
 
index 7c26cec..f30bd94 100644 (file)
@@ -9,3 +9,4 @@
 010-enctype-apache
 011-auth_basic
 012-charset
+013-CVE-2008-2384_charset
diff --git a/debian/patches/013-CVE-2008-2384_charset.dpatch b/debian/patches/013-CVE-2008-2384_charset.dpatch
new file mode 100644 (file)
index 0000000..845e110
--- /dev/null
@@ -0,0 +1,113 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 013-CVE-2008-2384_charset.dpatch by  <joey@localhost>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix CVE-2008-2384: Encode strings securely via mysql_real_escape_string()
+
+@DPATCH@
+diff -urNad mod-auth-mysql~/mod_auth_mysql.c mod-auth-mysql/mod_auth_mysql.c
+--- mod-auth-mysql~/mod_auth_mysql.c   2009-01-07 21:47:20.000000000 +0100
++++ mod-auth-mysql/mod_auth_mysql.c    2009-01-08 21:12:47.000000000 +0100
+@@ -340,6 +340,8 @@ typedef struct {
+ module auth_mysql_module;
++static int open_auth_dblink(request_rec *r, mysql_auth_config_rec *sec);
++
+ #ifdef APACHE2
+ static apr_status_t
+ #else
+@@ -506,9 +508,9 @@ static const char *set_scrambled_passwor
+  * server when passed in as part of a query.
+  */
+ #ifdef APACHE2
+-static char *mysql_escape(char *str, apr_pool_t *p)
++static char *mysql_escape(mysql_auth_config_rec *sec, request_rec *r, char *str, apr_pool_t *p)
+ #else
+-static char *mysql_escape(char *str, pool *p)
++static char *mysql_escape(mysql_auth_config_rec *sec, request_rec *r, char *str, pool *p)
+ #endif
+ {
+       char *dest;
+@@ -522,7 +524,7 @@ static char *mysql_escape(char *str, poo
+               return str;
+       }
+       
+-      mysql_escape_string(dest, str, strlen(str));
++      mysql_real_escape_string(sec->dbh, dest, str, strlen(str));
+       
+       return dest;
+ }
+@@ -1374,25 +1376,18 @@ static int open_auth_dblink(request_rec 
+       }
+       if (sec->db_charset) {
++              const char *check;
++
+               APACHELOG(APLOG_DEBUG, r,
+                       "Setting character set to %s", sec->db_charset);
+-              query = (char *) PSTRCAT(r->pool, "SET CHARACTER SET ", sec->db_charset, NULL);
+-              if (!query) {
+-                      APACHELOG(APLOG_ERR, r,
+-                              "Failed to create query string - we're no good...");
+-                      return -1;
+-              }
++              mysql_set_character_set(sec->dbh, sec->db_charset);
+-              if (mysql_query(sec->dbh, query)) {
+-                      if (sec->dbh)
+-                      {
+-                              APACHELOG(APLOG_ERR, r,
+-                                      "Query call failed: %s (%i)", mysql_error(sec->dbh),
+-                                      mysql_errno(sec->dbh));
+-                      }
++              check = mysql_character_set_name(sec->dbh);
+-                      APACHELOG(APLOG_DEBUG, r, "Failed query was: [%s]", query);
++              if (!check || strcmp(sec->db_charset, check)) {
++                      APACHELOG(APLOG_ERR, r,
++                              "Failed to set character set to %s", sec->db_charset);
+                       return -1;
+               }
+       }
+@@ -1537,11 +1532,27 @@ static int mysql_check_user_password(req
+       char *auth_table = "mysql_auth", *auth_user_field = "username",
+               *auth_password_field = "passwd", *auth_password_clause = "";
+       char *query;
+-      char *esc_user = mysql_escape(user, r->pool);
++      char *esc_user = NULL;
+       MYSQL_RES *result;
+       MYSQL_ROW sql_row;
++      int error = CR_UNKNOWN_ERROR;
+       int rv;
+               
++      if (!sec->dbh) {
++              APACHELOG(APLOG_DEBUG, r,
++                      "No DB connection open - firing one up");
++              if ((error = open_auth_dblink(r, sec))) {
++                      APACHELOG(APLOG_DEBUG, r,
++                              "open_auth_dblink returned %i", error);
++                      return error;
++              }
++
++              APACHELOG(APLOG_DEBUG, r,
++                      "Correctly opened a new DB connection");
++      }
++
++      esc_user = mysql_escape(sec, r, user, r->pool);
++
+       if (sec->user_table) {
+               auth_table = sec->user_table;
+       }
+@@ -1627,8 +1638,8 @@ static int mysql_check_group(request_rec
+ {
+       char *auth_table = "mysql_auth", *auth_group_field="groups", *auth_group_clause="";
+       char *query;
+-      char *esc_user = mysql_escape(user, r->pool);
+-      char *esc_group = mysql_escape(group, r->pool);
++      char *esc_user = mysql_escape(sec, r, user, r->pool);
++      char *esc_group = mysql_escape(sec, r, group, r->pool);
+       MYSQL_RES *result;
+       MYSQL_ROW row;
+       char *auth_user_field = "username";