36ed5c3290
app is subtly but totaly broken by removing API functions unless we use the magic button. Depending on the architecture the code may work or crash horribly without this. OK sthen@ (there are similar hacks in many other apps)
20 lines
636 B
Plaintext
20 lines
636 B
Plaintext
$OpenBSD: patch-auth_ldap_c,v 1.3 2009/05/11 19:40:58 claudio Exp $
|
|
|
|
Fixes a security bug that could allow attacker to execute arbitrary
|
|
commands as the apache user.
|
|
|
|
This is fixed in auth_ldap-1.6.1 but that release is broken. So we just
|
|
took the security fix.
|
|
|
|
--- auth_ldap.c.orig Wed Jul 4 16:38:03 2001
|
|
+++ auth_ldap.c Sun May 10 12:37:14 2009
|
|
@@ -87,7 +87,7 @@ void auth_ldap_log_reason(request_rec *r, const char *
|
|
#if APACHE_RELEASE < 1030000
|
|
log_reason(buf, r->uri, r);
|
|
#else
|
|
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, buf);
|
|
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, "%s", buf);
|
|
#endif
|
|
}
|
|
|