From: Joe Orton Date: Tue, 27 Aug 2019 05:50:19 +0000 (+0000) Subject: Merge r1865749 from trunk: X-Git-Tag: 2.4.42~276 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cd9bcea2d3db31a38ad12474ebc0c7658134cbfd;p=thirdparty%2Fapache%2Fhttpd.git Merge r1865749 from trunk: PR63688 balancer csrf problems fix case-sensitive referer check Submitted By: Armin Abfalterer Reviewed by: covener, jim, jorton PR: 63688 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1865966 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 0f91414ecd2..cababde6f7b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.42 + *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS + protection. PR 63688. [Armin Abfalterer ] + Changes with Apache 2.4.41 *) SECURITY: CVE-2019-10097 (cve.mitre.org) diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c index 398ff4f52c0..77c1dd2b28e 100644 --- a/modules/proxy/mod_proxy_balancer.c +++ b/modules/proxy/mod_proxy_balancer.c @@ -1104,7 +1104,7 @@ static int safe_referer(request_rec *r, const char *ref) if (apr_uri_parse(r->pool, ref, &uri) || !uri.hostname) return 0; - return strcmp(uri.hostname, ap_get_server_name(r)) == 0; + return strcasecmp(uri.hostname, ap_get_server_name(r)) == 0; } /* Manages the loadfactors and member status