> Am 30.08.2019 um 11:22 schrieb Ruediger Pluem <rpl...@apache.org>:
>
>
>
> On 08/08/2019 02:11 PM, jor...@apache.org wrote:
>> Author: jorton
>> Date: Thu Aug 8 12:11:36 2019
>> New Revision: 1864695
>>
>> URL: http://svn.apache.org/viewvc?rev=1864695&view=rev
>> Log:
>> * modules/proxy/mod_proxy_balancer.c (balancer_handler): Check Referer
>> to improve on protection against balancer-manager XSRF attacks
>> provided by the nonce.
>>
>> Modified:
>> httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c
>>
>> Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c?rev=1864695&r1=1864694&r2=1864695&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c (original)
>> +++ httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c Thu Aug 8 12:11:36
>> 2019
>> @@ -1843,6 +1843,18 @@ static void balancer_display_page(reques
>> }
>> }
>>
>> +/* Returns non-zero if the Referer: header value passed matches the
>> + * host of the request. */
>> +static int safe_referer(request_rec *r, const char *ref)
>> +{
>> + apr_uri_t uri;
>> +
>> + if (apr_uri_parse(r->pool, ref, &uri) || !uri.hostname)
>> + return 0;
>> +
>> + return strcmp(uri.hostname, ap_get_server_name(r)) == 0;
>
> Shouldn't we use strcasecmp instead of strcmp here? IMHO hostnames are case
> insensitive.
How long will these 6-bit architectures hold us back?
;)
>
> Regards
>
> RĂ¼diger
>
