luci-base: dispatcher: reject non-POST requests with any cbi.submit value

Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while the dispatcher only required POST for cbi.submit == 1, the CSRF token protection could be bypassed. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2018-04-05 00:15:22 +0200
committer: Jo-Philipp Wich <jo@mein.io> 2018-04-05 00:15:22 +0200
commit: 186e690c08a8766aecf9a0ffc60b4475e366d723 (patch)
tree: 320b100a84d90c2fca0ed970d3bb20864f1eab36
parent: 697db81246bf9e3256c7217a00ee4e7757c87077 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 24681368d..c93fd78a1 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -892,7 +892,7 @@ end
 function cbi(model, config)
 	return {
 		type = "cbi",
-		post = { ["cbi.submit"] = "1" },
+		post = { ["cbi.submit"] = true },
 		config = config,
 		model = model,
 		target = _cbi
@@ -938,7 +938,7 @@ end
 function form(model)
 	return {
 		type = "cbi",
-		post = { ["cbi.submit"] = "1" },
+		post = { ["cbi.submit"] = true },
 		model = model,
 		target = _form
 	}
author	Jo-Philipp Wich <jo@mein.io>	2018-04-05 00:15:22 +0200
committer	Jo-Philipp Wich <jo@mein.io>	2018-04-05 00:15:22 +0200
commit	186e690c08a8766aecf9a0ffc60b4475e366d723 (patch)
tree	320b100a84d90c2fca0ed970d3bb20864f1eab36
parent	697db81246bf9e3256c7217a00ee4e7757c87077 (diff)