diff options
author | Jo-Philipp Wich <jo@mein.io> | 2019-10-09 09:55:44 +0200 |
---|---|---|
committer | Jo-Philipp Wich <jo@mein.io> | 2019-10-09 09:55:44 +0200 |
commit | f8c6eb67cd9da09ee20248fec6ab742069635e47 (patch) | |
tree | fad932d2aed191055e601959f47a2418c7a18ef6 | |
parent | 6d70b303ede58fb08598ffaa829a3ec80a3f34bd (diff) |
luci-base: fix CSRF prevention for arcombine targets
The dispatcher failed to propagate the child target post security
requirements to the arcombine() dispatch target so far - fix this
by recursively testing the post security requirements.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-rw-r--r-- | modules/luci-base/luasrc/dispatcher.lua | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index e8106b741..f57114456 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -149,7 +149,11 @@ function httpdispatch(request, prefix) --context._disable_memtrace() end -local function require_post_security(target) +local function require_post_security(target, args) + if type(target) == "table" and target.type == "arcombine" and type(target.targets) == "table" then + return require_post_security((type(args) == "table" and #args > 0) and target.targets[2] or target.targets[1], args) + end + if type(target) == "table" then if type(target.post) == "table" then local param_name, required_val, request_val @@ -470,7 +474,7 @@ function dispatch(request) return end - if c and require_post_security(c.target) then + if c and require_post_security(c.target, args) then if not test_post_security(c) then return end |