On 08/08/2019 02:11 PM, [email protected] wrote:
> Author: jorton
> Date: Thu Aug 8 12:11:36 2019
> New Revision: 1864695
>
> URL: http://svn.apache.org/viewvc?rev=1864695&view=rev
> Log:
> * modules/proxy/mod_proxy_balancer.c (balancer_handler): Check Referer
> to improve on protection against balancer-manager XSRF attacks
> provided by the nonce.
>
> Modified:
> httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c
>
> Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c?rev=1864695&r1=1864694&r2=1864695&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c (original)
> +++ httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c Thu Aug 8 12:11:36
> 2019
> @@ -1843,6 +1843,18 @@ static void balancer_display_page(reques
> }
> }
>
> +/* Returns non-zero if the Referer: header value passed matches the
> + * host of the request. */
> +static int safe_referer(request_rec *r, const char *ref)
> +{
> + apr_uri_t uri;
> +
> + if (apr_uri_parse(r->pool, ref, &uri) || !uri.hostname)
> + return 0;
> +
> + return strcmp(uri.hostname, ap_get_server_name(r)) == 0;
Shouldn't we use strcasecmp instead of strcmp here? IMHO hostnames are case
insensitive.
Regards
RĂ¼diger
