From c698c1a65198b4ef374efbb2d0db7aa8bb5c9900 Mon Sep 17 00:00:00 2001
From: Joey Schulze <joey@infodrom.org>
Date: Wed, 21 Jan 2009 17:58:33 +0000
Subject: [PATCH] Fix CVE-2008-2384: Encode strings securely via
 mysql_real_escape_string [013-CVE-2008-2384_charset.dpatch]

---
 debian/changelog                              |   4 +-
 debian/patches/00list                         |   1 +
 .../patches/013-CVE-2008-2384_charset.dpatch  | 113 ++++++++++++++++++
 3 files changed, 117 insertions(+), 1 deletion(-)
 create mode 100644 debian/patches/013-CVE-2008-2384_charset.dpatch

diff --git a/debian/changelog b/debian/changelog
index 00020ee..7cc082f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,8 +2,10 @@ mod-auth-mysql (4.3.9-11) unstable; urgency=low
 
   * Change section web to net
   * Bumped standards version
+  * Fix CVE-2008-2384: Encode strings securely via
+    mysql_real_escape_string [013-CVE-2008-2384_charset.dpatch]
 
- --
+ -- Joey Schulze <joey@infodrom.org>  Wed, 21 Jan 2009 18:58:04 +0100
 
 mod-auth-mysql (4.3.9-10) unstable; urgency=low
 
diff --git a/debian/patches/00list b/debian/patches/00list
index 7c26cec..f30bd94 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -9,3 +9,4 @@
 010-enctype-apache
 011-auth_basic
 012-charset
+013-CVE-2008-2384_charset
diff --git a/debian/patches/013-CVE-2008-2384_charset.dpatch b/debian/patches/013-CVE-2008-2384_charset.dpatch
new file mode 100644
index 0000000..845e110
--- /dev/null
+++ b/debian/patches/013-CVE-2008-2384_charset.dpatch
@@ -0,0 +1,113 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 013-CVE-2008-2384_charset.dpatch by  <joey@localhost>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix CVE-2008-2384: Encode strings securely via mysql_real_escape_string()
+
+@DPATCH@
+diff -urNad mod-auth-mysql~/mod_auth_mysql.c mod-auth-mysql/mod_auth_mysql.c
+--- mod-auth-mysql~/mod_auth_mysql.c	2009-01-07 21:47:20.000000000 +0100
++++ mod-auth-mysql/mod_auth_mysql.c	2009-01-08 21:12:47.000000000 +0100
+@@ -340,6 +340,8 @@ typedef struct {
+ 
+ module auth_mysql_module;
+ 
++static int open_auth_dblink(request_rec *r, mysql_auth_config_rec *sec);
++
+ #ifdef APACHE2
+ static apr_status_t
+ #else
+@@ -506,9 +508,9 @@ static const char *set_scrambled_passwor
+  * server when passed in as part of a query.
+  */
+ #ifdef APACHE2
+-static char *mysql_escape(char *str, apr_pool_t *p)
++static char *mysql_escape(mysql_auth_config_rec *sec, request_rec *r, char *str, apr_pool_t *p)
+ #else
+-static char *mysql_escape(char *str, pool *p)
++static char *mysql_escape(mysql_auth_config_rec *sec, request_rec *r, char *str, pool *p)
+ #endif
+ {
+ 	char *dest;
+@@ -522,7 +524,7 @@ static char *mysql_escape(char *str, poo
+ 		return str;
+ 	}
+ 	
+-	mysql_escape_string(dest, str, strlen(str));
++	mysql_real_escape_string(sec->dbh, dest, str, strlen(str));
+ 	
+ 	return dest;
+ }
+@@ -1374,25 +1376,18 @@ static int open_auth_dblink(request_rec 
+ 	}
+ 
+ 	if (sec->db_charset) {
++		const char *check;
++
+ 		APACHELOG(APLOG_DEBUG, r,
+ 			"Setting character set to %s", sec->db_charset);
+ 
+-		query = (char *) PSTRCAT(r->pool, "SET CHARACTER SET ", sec->db_charset, NULL);
+-		if (!query) {
+-			APACHELOG(APLOG_ERR, r,
+-				"Failed to create query string - we're no good...");
+-			return -1;
+-		}
++		mysql_set_character_set(sec->dbh, sec->db_charset);
+ 
+-		if (mysql_query(sec->dbh, query)) {
+-			if (sec->dbh)
+-			{
+-				APACHELOG(APLOG_ERR, r,
+-					"Query call failed: %s (%i)", mysql_error(sec->dbh),
+-					mysql_errno(sec->dbh));
+-			}
++		check = mysql_character_set_name(sec->dbh);
+ 
+-			APACHELOG(APLOG_DEBUG, r, "Failed query was: [%s]", query);
++		if (!check || strcmp(sec->db_charset, check)) {
++			APACHELOG(APLOG_ERR, r,
++				"Failed to set character set to %s", sec->db_charset);
+ 			return -1;
+ 		}
+ 	}
+@@ -1537,11 +1532,27 @@ static int mysql_check_user_password(req
+ 	char *auth_table = "mysql_auth", *auth_user_field = "username",
+ 		*auth_password_field = "passwd", *auth_password_clause = "";
+ 	char *query;
+-	char *esc_user = mysql_escape(user, r->pool);
++	char *esc_user = NULL;
+ 	MYSQL_RES *result;
+ 	MYSQL_ROW sql_row;
++	int error = CR_UNKNOWN_ERROR;
+ 	int rv;
+ 		
++	if (!sec->dbh) {
++		APACHELOG(APLOG_DEBUG, r,
++			"No DB connection open - firing one up");
++		if ((error = open_auth_dblink(r, sec))) {
++			APACHELOG(APLOG_DEBUG, r,
++				"open_auth_dblink returned %i", error);
++			return error;
++		}
++
++		APACHELOG(APLOG_DEBUG, r,
++			"Correctly opened a new DB connection");
++	}
++
++	esc_user = mysql_escape(sec, r, user, r->pool);
++
+ 	if (sec->user_table) {
+ 		auth_table = sec->user_table;
+ 	}
+@@ -1627,8 +1638,8 @@ static int mysql_check_group(request_rec
+ {
+ 	char *auth_table = "mysql_auth", *auth_group_field="groups", *auth_group_clause="";
+ 	char *query;
+-	char *esc_user = mysql_escape(user, r->pool);
+-	char *esc_group = mysql_escape(group, r->pool);
++	char *esc_user = mysql_escape(sec, r, user, r->pool);
++	char *esc_group = mysql_escape(sec, r, group, r->pool);
+ 	MYSQL_RES *result;
+ 	MYSQL_ROW row;
+ 	char *auth_user_field = "username";
-- 
2.20.1