Patch ftp kioslave command injection vulnerability.

References: http://www.securityfocus.com/bid/11827 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1165 Approved by: portmgr
author: Michael Nottebrock <lofi@FreeBSD.org> 2005-01-01 13:36:18 +0000
committer: Michael Nottebrock <lofi@FreeBSD.org> 2005-01-01 13:36:18 +0000
commit: 18e5ca604b79a485db6901aa8f4e8749df21e407 (patch)
tree: fc0df8bfcc0db194b240ddeeff9c352c6051eb48 /x11/kdelibs3/files/patch-post-3.3.2-kdelibs-kioslave
parent: Fix build. (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/x11/kdelibs3/files/patch-post-3.3.2-kdelibs-kioslave b/x11/kdelibs3/files/patch-post-3.3.2-kdelibs-kioslave
new file mode 100644
index 000000000000..18dc66b03367
--- /dev/null
+++ b/x11/kdelibs3/files/patch-post-3.3.2-kdelibs-kioslave
@@ -0,0 +1,18 @@
+diff -b -p -u -r1.213.2.1 -r1.213.2.2
+--- kioslave/ftp/ftp.cc	21 Sep 2004 16:17:56 -0000	1.213.2.1
++++ kioslave/ftp/ftp.cc	26 Dec 2004 00:29:54 -0000	1.213.2.2
+@@ -751,6 +751,14 @@ bool Ftp::ftpSendCmd( const QCString& cm
+ {
+   assert(m_control != NULL);    // must have control connection socket
+ 
++  if ( cmd.find( '\r' ) != -1 || cmd.find( '\n' ) != -1)
++  {
++    kdWarning(7102) << "Invalid command received (contains CR or LF): "
++                    << cmd.data() << endl;
++    error( ERR_UNSUPPORTED_ACTION, m_host );
++    return false;
++  }
++
+   // Don't print out the password...
+   bool isPassCmd = (cmd.left(4).lower() == "pass");
+   if ( !isPassCmd )
author	Michael Nottebrock <lofi@FreeBSD.org>	2005-01-01 13:36:18 +0000
committer	Michael Nottebrock <lofi@FreeBSD.org>	2005-01-01 13:36:18 +0000
commit	18e5ca604b79a485db6901aa8f4e8749df21e407 (patch)
tree	fc0df8bfcc0db194b240ddeeff9c352c6051eb48 /x11/kdelibs3/files/patch-post-3.3.2-kdelibs-kioslave
parent	Fix build. (diff)