Merge r1865749 from trunk:

author Joe Orton <jorton@apache.org>

Tue, 27 Aug 2019 05:50:19 +0000 (05:50 +0000)

committer Joe Orton <jorton@apache.org>

Tue, 27 Aug 2019 05:50:19 +0000 (05:50 +0000)
author Joe Orton <jorton@apache.org>
Tue, 27 Aug 2019 05:50:19 +0000 (05:50 +0000)
committer Joe Orton <jorton@apache.org>
Tue, 27 Aug 2019 05:50:19 +0000 (05:50 +0000)
diff --git a/CHANGES b/CHANGES

index 0f91414ecd2c09901f4b50b503bed2089fbed8d9..cababde6f7b0bd90080bbf6c1572aa9b98262261 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.4.42
  
+  *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS 
+     protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
+
  Changes with Apache 2.4.41
  
    *) SECURITY: CVE-2019-10097 (cve.mitre.org)
diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c

index 398ff4f52c020bfd0e29640acf609f4c8c1c0d66..77c1dd2b28ef88167cc0135b308abcab40cf28aa 100644 (file)
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@@ -1104,7 +1104,7 @@ static int safe_referer(request_rec *r, const char *ref)
      if (apr_uri_parse(r->pool, ref, &uri) || !uri.hostname)
          return 0;
  
-    return strcmp(uri.hostname, ap_get_server_name(r)) == 0;
+    return strcasecmp(uri.hostname, ap_get_server_name(r)) == 0;
  }
  
  /* Manages the loadfactors and member status
author	Joe Orton <jorton@apache.org>
	Tue, 27 Aug 2019 05:50:19 +0000 (05:50 +0000)
committer	Joe Orton <jorton@apache.org>
	Tue, 27 Aug 2019 05:50:19 +0000 (05:50 +0000)
CHANGES		patch \| blob \| blame \| history
modules/proxy/mod_proxy_balancer.c		patch \| blob \| blame \| history