www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

No functional change; simplify the CVE-2007-6420 fix slightly, as

Browse Source 
suggested by rpluem:

* modules/proxy/mod_proxy_balancer.c (balancer_init): Serialize the
  UUID to a string here...
  (balancer_handler): ...rather than here.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@663967 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Joe Orton
2008-06-06 14:44:35 +00:00
parent f438923a5c
commit ce75fb285c
1 changed files with 10 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
modules/proxy/mod_proxy_balancer.c
View File

@@ -25,7 +25,7 @@
module AP_MODULE_DECLARE_DATA proxy_balancer_module; module AP_MODULE_DECLARE_DATA proxy_balancer_module;
static apr_uuid_t balancer_nonce; static char balancer_nonce[APR_UUID_FORMATTED_LENGTH + 1];
static int proxy_balancer_canon(request_rec *r, char *url) static int proxy_balancer_canon(request_rec *r, char *url)
{ {
@@ -628,6 +628,7 @@ static int balancer_init(apr_pool_t *p, apr_pool_t *plog,
{ {
void *data; void *data;
const char *userdata_key = "mod_proxy_balancer_init"; const char *userdata_key = "mod_proxy_balancer_init";
apr_uuid_t uuid;
/* balancer_init() will be called twice during startup. So, only /* balancer_init() will be called twice during startup. So, only
* set up the static data the second time through. */ * set up the static data the second time through. */
@@ -638,7 +639,10 @@ static int balancer_init(apr_pool_t *p, apr_pool_t *plog,
return OK; return OK;
} }
apr_uuid_get(&balancer_nonce); /* Retrieve a UUID and store the nonce for the lifetime of
* the process. */
apr_uuid_get(&uuid);
apr_uuid_format(balancer_nonce, &uuid);
return OK; return OK;
} }
@@ -656,9 +660,6 @@ static int balancer_handler(request_rec *r)
int access_status; int access_status;
int i, n; int i, n;
const char *name; const char *name;
char nonce[APR_UUID_FORMATTED_LENGTH + 1];
apr_uuid_format(nonce, &balancer_nonce);
/* is this for us? */ /* is this for us? */
if (strcmp(r->handler, "balancer-manager")) if (strcmp(r->handler, "balancer-manager"))
@@ -692,7 +693,7 @@ static int balancer_handler(request_rec *r)
/* Check that the supplied nonce matches this server's nonce; /* Check that the supplied nonce matches this server's nonce;
* otherwise ignore all parameters, to prevent a CSRF attack. */ * otherwise ignore all parameters, to prevent a CSRF attack. */
if ((name = apr_table_get(params, "nonce")) == NULL if ((name = apr_table_get(params, "nonce")) == NULL
|| strcmp(nonce, name) != 0) { || strcmp(balancer_nonce, name) != 0) {
apr_table_clear(params); apr_table_clear(params);
} }
@@ -833,7 +834,7 @@ static int balancer_handler(request_rec *r)
ap_rvputs(r, "<tr>\n<td><a href=\"", r->uri, "?b=", ap_rvputs(r, "<tr>\n<td><a href=\"", r->uri, "?b=",
balancer->name + sizeof("balancer://") - 1, "&w=", balancer->name + sizeof("balancer://") - 1, "&w=",
ap_escape_uri(r->pool, worker->name), ap_escape_uri(r->pool, worker->name),
"&nonce=", nonce, "&nonce=", balancer_nonce,
"\">", NULL); "\">", NULL);
ap_rvputs(r, worker->name, "</a></td>", NULL); ap_rvputs(r, worker->name, "</a></td>", NULL);
ap_rvputs(r, "<td>", ap_escape_html(r->pool, worker->s->route), ap_rvputs(r, "<td>", ap_escape_html(r->pool, worker->s->route),
@@ -897,8 +898,8 @@ static int balancer_handler(request_rec *r)
ap_rvputs(r, "<input type=hidden name=\"b\" ", NULL); ap_rvputs(r, "<input type=hidden name=\"b\" ", NULL);
ap_rvputs(r, "value=\"", bsel->name + sizeof("balancer://") - 1, ap_rvputs(r, "value=\"", bsel->name + sizeof("balancer://") - 1,
"\">\n</form>\n", NULL); "\">\n</form>\n", NULL);
ap_rvputs(r, "<input type=hidden name=\"nonce\" value=\"", nonce, "\">\n", ap_rvputs(r, "<input type=hidden name=\"nonce\" value=\"",
NULL); balancer_nonce, "\">\n", NULL);
ap_rputs("<hr />\n", r); ap_rputs("<hr />\n", r);
} }
ap_rputs(ap_psignature("",r), r); ap_rputs(ap_psignature("",r), r);