PR63688 balancer csrf problems

author Eric Covener <covener@apache.org>

Fri, 23 Aug 2019 13:06:57 +0000 (13:06 +0000)

committer Eric Covener <covener@apache.org>

Fri, 23 Aug 2019 13:06:57 +0000 (13:06 +0000)
author Eric Covener <covener@apache.org>
Fri, 23 Aug 2019 13:06:57 +0000 (13:06 +0000)
committer Eric Covener <covener@apache.org>
Fri, 23 Aug 2019 13:06:57 +0000 (13:06 +0000)
diff --git a/CHANGES b/CHANGES

index 52ced0b2dfee9591bce79e924f4e101ab2922abd..cba4b195abdba36cc10ea1f6961479e4fac323be 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.5.1
  
+  *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS 
+     protection. PR63688. [Armin Abfalterer <a.abfalterer gmail.com>]
+
    *) mod_authn_socache: Increase the maximum length of strings that can be cached by
       the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]
  
diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c

index 0ff3feb24486eeb9fe9e390a9cb6ef8a35a02f7f..ca2462285bef37fea5297fe6eda199a45f3954b6 100644 (file)
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@@ -1852,7 +1852,7 @@ static int safe_referer(request_rec *r, const char *ref)
      if (apr_uri_parse(r->pool, ref, &uri) || !uri.hostname)
          return 0;
  
-    return strcmp(uri.hostname, ap_get_server_name(r)) == 0;
+    return strcasecmp(uri.hostname, ap_get_server_name(r)) == 0;
  }
  
  /* Manages the loadfactors and member status
author	Eric Covener <covener@apache.org>
	Fri, 23 Aug 2019 13:06:57 +0000 (13:06 +0000)
committer	Eric Covener <covener@apache.org>
	Fri, 23 Aug 2019 13:06:57 +0000 (13:06 +0000)
CHANGES		patch \| blob \| history
modules/proxy/mod_proxy_balancer.c		patch \| blob \| history