And check the nonce, taking care to ensure that the

form actually specified a balancer. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1058630 13f79535-47bb-0310-9956-ffa450edef68
2025-08-07 04:02:58 +03:00 · 2011-01-13 15:59:25 +00:00
parent 31c4a9e21e
commit a541e41dab
1 changed files with 10 additions and 5 deletions
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@@ -849,15 +849,20 @@ static int balancer_handler(request_rec *r)
        wsel = ap_proxy_get_worker(r->pool, bsel, conf, name);
    }

-#if 0
+
    /* Check that the supplied nonce matches this server's nonce;
     * otherwise ignore all parameters, to prevent a CSRF attack. */
-    if (*balancer_nonce &&
-        ((name = apr_table_get(params, "nonce")) == NULL
-         || strcmp(balancer_nonce, name) != 0)) {
+    if (!bsel ||
+        (*bsel->nonce &&
+         (
+          (name = apr_table_get(params, "nonce")) == NULL ||
+          strcmp(bsel->nonce, name) != 0
+         )
+        )
+       ) {
        apr_table_clear(params);
    }
-#endif
+
    /* First set the params */
    /*
     * Note that it is not possible set the proxy_balancer because it is not