You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2011/01/13 16:59:26 UTC
svn commit: r1058630 - /httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c
Author: jim
Date: Thu Jan 13 15:59:25 2011
New Revision: 1058630
URL: http://svn.apache.org/viewvc?rev=1058630&view=rev
Log:
And check the nonce, taking care to ensure that the
form actually specified a balancer.
Modified:
httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c
Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c?rev=1058630&r1=1058629&r2=1058630&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c (original)
+++ httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c Thu Jan 13 15:59:25 2011
@@ -849,15 +849,20 @@ static int balancer_handler(request_rec
wsel = ap_proxy_get_worker(r->pool, bsel, conf, name);
}
-#if 0
+
/* Check that the supplied nonce matches this server's nonce;
* otherwise ignore all parameters, to prevent a CSRF attack. */
- if (*balancer_nonce &&
- ((name = apr_table_get(params, "nonce")) == NULL
- || strcmp(balancer_nonce, name) != 0)) {
+ if (!bsel ||
+ (*bsel->nonce &&
+ (
+ (name = apr_table_get(params, "nonce")) == NULL ||
+ strcmp(bsel->nonce, name) != 0
+ )
+ )
+ ) {
apr_table_clear(params);
}
-#endif
+
/* First set the params */
/*
* Note that it is not possible set the proxy_balancer because it is not