From cd9bcea2d3db31a38ad12474ebc0c7658134cbfd Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@apache.org>
Date: Tue, 27 Aug 2019 05:50:19 +0000
Subject: [PATCH] Merge r1865749 from trunk:

PR63688 balancer csrf problems

fix case-sensitive referer check

Submitted By: Armin Abfalterer
Reviewed by: covener, jim, jorton
PR: 63688


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1865966 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                            | 3 +++
 modules/proxy/mod_proxy_balancer.c | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 0f91414ecd2..cababde6f7b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.42
 
+  *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS 
+     protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
+
 Changes with Apache 2.4.41
 
   *) SECURITY: CVE-2019-10097 (cve.mitre.org)
diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
index 398ff4f52c0..77c1dd2b28e 100644
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@@ -1104,7 +1104,7 @@ static int safe_referer(request_rec *r, const char *ref)
     if (apr_uri_parse(r->pool, ref, &uri) || !uri.hostname)
         return 0;
 
-    return strcmp(uri.hostname, ap_get_server_name(r)) == 0;
+    return strcasecmp(uri.hostname, ap_get_server_name(r)) == 0;
 }
 
 /* Manages the loadfactors and member status
-- 
2.47.3