diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2015-10-06 18:54:35 +0200 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2015-10-06 18:54:35 +0200 |
commit | 8d46c20327509dbafa3fd0dc4e4426765244c5a1 (patch) | |
tree | 3bf13d177475b1f347530c93813e2d86f1bec1e4 | |
parent | 5a6382171da2c941e17d050cd357629f40541cb6 (diff) |
luci-base: protect CBI forms with CSRF tokens
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
-rw-r--r-- | modules/luci-base/luasrc/dispatcher.lua | 9 | ||||
-rw-r--r-- | modules/luci-base/luasrc/view/cbi/header.htm | 1 |
2 files changed, 10 insertions, 0 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index 798e3e6ce6..a402d023b3 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -743,6 +743,15 @@ local function _cbi(self, ...) local cbi = require "luci.cbi" local tpl = require "luci.template" local http = require "luci.http" + local disp = require "luci.dispatcher" + + if http.formvalue("cbi.submit") == "1" and + http.formvalue("token") ~= disp.context.urltoken.stok + then + http.status(403, "Forbidden") + luci.template.render("csrftoken") + return + end local config = self.config or {} local maps = cbi.load(self.model, ...) diff --git a/modules/luci-base/luasrc/view/cbi/header.htm b/modules/luci-base/luasrc/view/cbi/header.htm index 2bddaba61a..302df1d2fd 100644 --- a/modules/luci-base/luasrc/view/cbi/header.htm +++ b/modules/luci-base/luasrc/view/cbi/header.htm @@ -2,6 +2,7 @@ <form method="post" name="cbi" action="<%=REQUEST_URI%>" enctype="multipart/form-data" onreset="return cbi_validate_reset(this)" onsubmit="return cbi_validate_form(this, '<%:Some fields are invalid, cannot save values!%>')"> <div> <script type="text/javascript" src="<%=resource%>/cbi.js"></script> + <input type="hidden" name="token" value="<%=token%>" /> <input type="hidden" name="cbi.submit" value="1" /> <input type="submit" value="<%:Save%>" class="hidden" /> </div> |