From a541e41dabbcc56e38e443aa9cf9e4448fbc942f Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Thu, 13 Jan 2011 15:59:25 +0000 Subject: [PATCH] And check the nonce, taking care to ensure that the form actually specified a balancer. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1058630 13f79535-47bb-0310-9956-ffa450edef68 --- modules/proxy/mod_proxy_balancer.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c index e7566051c7..884c1e8ea9 100644 --- a/modules/proxy/mod_proxy_balancer.c +++ b/modules/proxy/mod_proxy_balancer.c @@ -849,15 +849,20 @@ static int balancer_handler(request_rec *r) wsel = ap_proxy_get_worker(r->pool, bsel, conf, name); } -#if 0 + /* Check that the supplied nonce matches this server's nonce; * otherwise ignore all parameters, to prevent a CSRF attack. */ - if (*balancer_nonce && - ((name = apr_table_get(params, "nonce")) == NULL - || strcmp(balancer_nonce, name) != 0)) { + if (!bsel || + (*bsel->nonce && + ( + (name = apr_table_get(params, "nonce")) == NULL || + strcmp(bsel->nonce, name) != 0 + ) + ) + ) { apr_table_clear(params); } -#endif + /* First set the params */ /* * Note that it is not possible set the proxy_balancer because it is not -- 2.40.0