You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2019/08/23 13:06:57 UTC
svn commit: r1865749 - in /httpd/httpd/trunk: CHANGES
modules/proxy/mod_proxy_balancer.c
Author: covener
Date: Fri Aug 23 13:06:57 2019
New Revision: 1865749
URL: http://svn.apache.org/viewvc?rev=1865749&view=rev
Log:
PR63688 balancer csrf problems
fix case-sensitive referer check
Submitted By: Armin Abfalterer
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1865749&r1=1865748&r2=1865749&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Aug 23 13:06:57 2019
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
+ protection. PR63688. [Armin Abfalterer <a.abfalterer gmail.com>]
+
*) mod_authn_socache: Increase the maximum length of strings that can be cached by
the module from 100 to 256. PR 62149 [<thorsten.meinl knime.com>]
Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c?rev=1865749&r1=1865748&r2=1865749&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c (original)
+++ httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c Fri Aug 23 13:06:57 2019
@@ -1852,7 +1852,7 @@ static int safe_referer(request_rec *r,
if (apr_uri_parse(r->pool, ref, &uri) || !uri.hostname)
return 0;
- return strcmp(uri.hostname, ap_get_server_name(r)) == 0;
+ return strcasecmp(uri.hostname, ap_get_server_name(r)) == 0;
}
/* Manages the loadfactors and member status