--- modules/proxy/mod_proxy_ftp.c 2009-09-22 07:20:48.000000000 -0400 +++ modules/proxy/mod_proxy_ftp.c.oden 2009-09-22 07:21:35.000000000 -0400 @@ -880,6 +880,11 @@ static int proxy_ftp_handler(request_rec if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0 && (password = ap_pbase64decode(r->pool, password))[0] != ':') { + /* Check the decoded string for special characters. */ + if (!ftp_check_string(password)) { + return ap_proxyerror(r, HTTP_BAD_REQUEST, + "user credentials contained invalid character"); + } /* * Note that this allocation has to be made from r->connection->pool * because it has the lifetime of the connection. The other