From: Joe Orton Date: Thu, 8 Aug 2019 12:11:36 +0000 (+0000) Subject: * modules/proxy/mod_proxy_balancer.c (balancer_handler): Check Referer X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ed70569bf5d57699818d95a265886c78fc39e58d;p=apache * modules/proxy/mod_proxy_balancer.c (balancer_handler): Check Referer to improve on protection against balancer-manager XSRF attacks provided by the nonce. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1864695 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c index 0ca13fd343..ca00f56238 100644 --- a/modules/proxy/mod_proxy_balancer.c +++ b/modules/proxy/mod_proxy_balancer.c @@ -1843,6 +1843,18 @@ static void balancer_display_page(request_rec *r, proxy_server_conf *conf, } } +/* Returns non-zero if the Referer: header value passed matches the + * host of the request. */ +static int safe_referer(request_rec *r, const char *ref) +{ + apr_uri_t uri; + + if (apr_uri_parse(r->pool, ref, &uri) || !uri.hostname) + return 0; + + return strcmp(uri.hostname, ap_get_server_name(r)) == 0; +} + /* Manages the loadfactors and member status * The balancer, worker and nonce are obtained from * the request args (?b=...&w=...&nonce=....). @@ -1860,7 +1872,7 @@ static int balancer_handler(request_rec *r) apr_table_t *params; int i; int ok2change = 1; - const char *name; + const char *name, *ref; apr_status_t rv; /* is this for us? */ @@ -1920,6 +1932,15 @@ static int balancer_handler(request_rec *r) push2table(buf, params, NULL, r->pool); } + /* Ignore parameters if this looks like XSRF */ + ref = apr_table_get(r->headers_in, "Referer"); + if (apr_table_elts(params) + && (!ref || !safe_referer(r, ref))) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10187) + "ignoring params in balancer-manager cross-site access"); + apr_table_clear(params); + } + /* Process the parameters */ if ((name = apr_table_get(params, "b"))) bsel = ap_proxy_get_balancer(r->pool, conf,