Attachment 178579 Details for Bug 255031 – mod_auth_mysql-CVE-2008-2384.patch

[patch] mod_auth_mysql-CVE-2008-2384.patch

mod_auth_mysql-CVE-2008-2384.patch (text/plain), 3.18 KB, created by Robert Buchholz (RETIRED) on 2009-01-15 12:27:32 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Robert Buchholz (RETIRED)

Created: 2009-01-15 12:27:32 UTC

Size: 3.18 KB

patch

obsolete

>diff -urNad mod-auth-mysql~/mod_auth_mysql.c mod-auth-mysql/mod_auth_mysql.c
>--- mod-auth-mysql~/mod_auth_mysql.c	2009-01-07 21:47:20.000000000 +0100
>+++ mod-auth-mysql/mod_auth_mysql.c	2009-01-08 21:12:47.000000000 +0100
>@@ -340,6 +340,8 @@ typedef struct {
> 
> module auth_mysql_module;
> 
>+static int open_auth_dblink(request_rec *r, mysql_auth_config_rec *sec);
>+
> #ifdef APACHE2
> static apr_status_t
> #else
>@@ -506,9 +508,9 @@ static const char *set_scrambled_passwor
>  * server when passed in as part of a query.
>  */
> #ifdef APACHE2
>-static char *mysql_escape(char *str, apr_pool_t *p)
>+static char *mysql_escape(mysql_auth_config_rec *sec, request_rec *r, char *str, apr_pool_t *p)
> #else
>-static char *mysql_escape(char *str, pool *p)
>+static char *mysql_escape(mysql_auth_config_rec *sec, request_rec *r, char *str, pool *p)
> #endif
> {
> 	char *dest;
>@@ -522,7 +524,7 @@ static char *mysql_escape(char *str, poo
> 		return str;
> 	}
> 	
>-	mysql_escape_string(dest, str, strlen(str));
>+	mysql_real_escape_string(sec->dbh, dest, str, strlen(str));
> 	
> 	return dest;
> }
>@@ -1374,25 +1376,18 @@ static int open_auth_dblink(request_rec 
> 	}
> 
> 	if (sec->db_charset) {
>+		const char *check;
>+
> 		APACHELOG(APLOG_DEBUG, r,
> 			"Setting character set to %s", sec->db_charset);
> 
>-		query = (char *) PSTRCAT(r->pool, "SET CHARACTER SET ", sec->db_charset, NULL);
>-		if (!query) {
>-			APACHELOG(APLOG_ERR, r,
>-				"Failed to create query string - we're no good...");
>-			return -1;
>-		}
>+		mysql_set_character_set(sec->dbh, sec->db_charset);
> 
>-		if (mysql_query(sec->dbh, query)) {
>-			if (sec->dbh)
>-			{
>-				APACHELOG(APLOG_ERR, r,
>-					"Query call failed: %s (%i)", mysql_error(sec->dbh),
>-					mysql_errno(sec->dbh));
>-			}
>+		check = mysql_character_set_name(sec->dbh);
> 
>-			APACHELOG(APLOG_DEBUG, r, "Failed query was: [%s]", query);
>+		if (!check || strcmp(sec->db_charset, check)) {
>+			APACHELOG(APLOG_ERR, r,
>+				"Failed to set character set to %s", sec->db_charset);
> 			return -1;
> 		}
> 	}
>@@ -1537,11 +1532,27 @@ static int mysql_check_user_password(req
> 	char *auth_table = "mysql_auth", *auth_user_field = "username",
> 		*auth_password_field = "passwd", *auth_password_clause = "";
> 	char *query;
>-	char *esc_user = mysql_escape(user, r->pool);
>+	char *esc_user = NULL;
> 	MYSQL_RES *result;
> 	MYSQL_ROW sql_row;
>+	int error = CR_UNKNOWN_ERROR;
> 	int rv;
> 		
>+	if (!sec->dbh) {
>+		APACHELOG(APLOG_DEBUG, r,
>+			"No DB connection open - firing one up");
>+		if ((error = open_auth_dblink(r, sec))) {
>+			APACHELOG(APLOG_DEBUG, r,
>+				"open_auth_dblink returned %i", error);
>+			return error;
>+		}
>+
>+		APACHELOG(APLOG_DEBUG, r,
>+			"Correctly opened a new DB connection");
>+	}
>+
>+	esc_user = mysql_escape(sec, r, user, r->pool);
>+
> 	if (sec->user_table) {
> 		auth_table = sec->user_table;
> 	}
>@@ -1627,8 +1638,8 @@ static int mysql_check_group(request_rec
> {
> 	char *auth_table = "mysql_auth", *auth_group_field="groups", *auth_group_clause="";
> 	char *query;
>-	char *esc_user = mysql_escape(user, r->pool);
>-	char *esc_group = mysql_escape(group, r->pool);
>+	char *esc_user = mysql_escape(sec, r, user, r->pool);
>+	char *esc_group = mysql_escape(sec, r, group, r->pool);
> 	MYSQL_RES *result;
> 	MYSQL_ROW row;
> 	char *auth_user_field = "username";

Actions: View | Diff

Attachments on bug 255031: 178579