From: Eric Covener Date: Fri, 23 Aug 2019 13:06:57 +0000 (+0000) Subject: PR63688 balancer csrf problems X-Git-Tag: 2.5.0-alpha2-ci-test-only~1919 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0951669df6cd687511c10b1c889ba746407f4229;p=thirdparty%2Fapache%2Fhttpd.git PR63688 balancer csrf problems fix case-sensitive referer check Submitted By: Armin Abfalterer git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1865749 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 52ced0b2dfe..cba4b195abd 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS + protection. PR63688. [Armin Abfalterer ] + *) mod_authn_socache: Increase the maximum length of strings that can be cached by the module from 100 to 256. PR 62149 [] diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c index 0ff3feb2448..ca2462285be 100644 --- a/modules/proxy/mod_proxy_balancer.c +++ b/modules/proxy/mod_proxy_balancer.c @@ -1852,7 +1852,7 @@ static int safe_referer(request_rec *r, const char *ref) if (apr_uri_parse(r->pool, ref, &uri) || !uri.hostname) return 0; - return strcmp(uri.hostname, ap_get_server_name(r)) == 0; + return strcasecmp(uri.hostname, ap_get_server_name(r)) == 0; } /* Manages the loadfactors and member status