summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2015-10-06 18:54:35 +0200
committerJo-Philipp Wich <jow@openwrt.org>2015-10-06 18:54:35 +0200
commit8d46c20327509dbafa3fd0dc4e4426765244c5a1 (patch)
tree3bf13d177475b1f347530c93813e2d86f1bec1e4
parent5a6382171da2c941e17d050cd357629f40541cb6 (diff)
luci-base: protect CBI forms with CSRF tokens
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
-rw-r--r--modules/luci-base/luasrc/dispatcher.lua9
-rw-r--r--modules/luci-base/luasrc/view/cbi/header.htm1
2 files changed, 10 insertions, 0 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 798e3e6ce6..a402d023b3 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -743,6 +743,15 @@ local function _cbi(self, ...)
local cbi = require "luci.cbi"
local tpl = require "luci.template"
local http = require "luci.http"
+ local disp = require "luci.dispatcher"
+
+ if http.formvalue("cbi.submit") == "1" and
+ http.formvalue("token") ~= disp.context.urltoken.stok
+ then
+ http.status(403, "Forbidden")
+ luci.template.render("csrftoken")
+ return
+ end
local config = self.config or {}
local maps = cbi.load(self.model, ...)
diff --git a/modules/luci-base/luasrc/view/cbi/header.htm b/modules/luci-base/luasrc/view/cbi/header.htm
index 2bddaba61a..302df1d2fd 100644
--- a/modules/luci-base/luasrc/view/cbi/header.htm
+++ b/modules/luci-base/luasrc/view/cbi/header.htm
@@ -2,6 +2,7 @@
<form method="post" name="cbi" action="<%=REQUEST_URI%>" enctype="multipart/form-data" onreset="return cbi_validate_reset(this)" onsubmit="return cbi_validate_form(this, '<%:Some fields are invalid, cannot save values!%>')">
<div>
<script type="text/javascript" src="<%=resource%>/cbi.js"></script>
+ <input type="hidden" name="token" value="<%=token%>" />
<input type="hidden" name="cbi.submit" value="1" />
<input type="submit" value="<%:Save%>" class="hidden" />
</div>