Backport r663967

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@665755 13f79535-47bb-0310-9956-ffa450edef68
2025-08-10 02:56:11 +00:00 · 2008-06-09 16:41:08 +00:00
parent 7ea35c1ab7
commit d6ba13d24c
2 changed files with 10 additions and 16 deletions
--- a/7
+++ b/7
@ -84,13 +84,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
  [ start all new proposals below, under PATCHES PROPOSED. ]

- * mod_proxy_balancer: Optimization of fix for CVE-2007-6420.
-   Trunk version of patch:
-         http://svn.apache.org/viewvc?view=rev&revision=663967
-   Backport version for 2.2.x of patch:
-         Trunk version of patch works
-   +1: rpluem, jim, niq
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
  [ New proposals should be added at the end of the list ]

--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@ -27,7 +27,7 @@

 module AP_MODULE_DECLARE_DATA proxy_balancer_module;

-static apr_uuid_t balancer_nonce;
+static char balancer_nonce[APR_UUID_FORMATTED_LENGTH + 1];

 static int proxy_balancer_canon(request_rec *r, char *url)
 {
@ -597,6 +597,7 @@ static int balancer_init(apr_pool_t *p, apr_pool_t *plog,
 {
    void *data;
    const char *userdata_key = "mod_proxy_balancer_init";
+    apr_uuid_t uuid;

    /* balancer_init() will be called twice during startup.  So, only
     * set up the static data the second time through. */
@ -607,7 +608,10 @@ static int balancer_init(apr_pool_t *p, apr_pool_t *plog,
        return OK;
    }

-    apr_uuid_get(&balancer_nonce);
+    /* Retrieve a UUID and store the nonce for the lifetime of
+     * the process. */
+    apr_uuid_get(&uuid);
+    apr_uuid_format(balancer_nonce, &uuid);

    return OK;
 }
@ -625,9 +629,6 @@ static int balancer_handler(request_rec *r)
    int access_status;
    int i, n;
    const char *name;
-    char nonce[APR_UUID_FORMATTED_LENGTH + 1];
-
-    apr_uuid_format(nonce, &balancer_nonce);

    /* is this for us? */
    if (strcmp(r->handler, "balancer-manager"))
@ -661,7 +662,7 @@ static int balancer_handler(request_rec *r)
    /* Check that the supplied nonce matches this server's nonce;
     * otherwise ignore all parameters, to prevent a CSRF attack. */
    if ((name = apr_table_get(params, "nonce")) == NULL 
-        || strcmp(nonce, name) != 0) {
+        || strcmp(balancer_nonce, name) != 0) {
        apr_table_clear(params);
    }

@ -796,7 +797,7 @@ static int balancer_handler(request_rec *r)
                ap_rvputs(r, "<tr>\n<td><a href=\"", r->uri, "?b=",
                          balancer->name + sizeof("balancer://") - 1, "&w=",
                          ap_escape_uri(r->pool, worker->name),
-                          "&nonce=", nonce, 
+                          "&nonce=", balancer_nonce, 
                          "\">", NULL);
                ap_rvputs(r, worker->name, "</a></td>", NULL);
                ap_rvputs(r, "<td>", ap_escape_html(r->pool, worker->s->route),
@ -860,8 +861,8 @@ static int balancer_handler(request_rec *r)
            ap_rvputs(r, "<input type=hidden name=\"b\" ", NULL);
            ap_rvputs(r, "value=\"", bsel->name + sizeof("balancer://") - 1,
                      "\">\n</form>\n", NULL);
-            ap_rvputs(r, "<input type=hidden name=\"nonce\" value=\"", nonce, "\">\n",
-                      NULL);
+            ap_rvputs(r, "<input type=hidden name=\"nonce\" value=\"", 
+                      balancer_nonce, "\">\n", NULL);
            ap_rputs("<hr />\n", r);
        }
        ap_rputs(ap_psignature("",r), r);