luci-app-splash: protect admin status call with csrf token

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

2 files changed, 2 insertions, 2 deletions

diff --git a/applications/luci-app-splash/luasrc/controller/splash/splash.lua b/applications/luci-app-splash/luasrc/controller/splash/splash.lua
index 4add43559..13b8edce6 100644
--- a/applications/luci-app-splash/luasrc/controller/splash/splash.lua
+++ b/applications/luci-app-splash/luasrc/controller/splash/splash.lua
@@ -16,7 +16,7 @@ function index()
 	node("splash", "splash").target   = template("splash_splash/splash")
 	node("splash", "blocked").target  = template("splash/blocked")
 
-	entry({"admin", "status", "splash"}, call("action_status_admin"), _("Client-Splash"))
+	entry({"admin", "status", "splash"}, post("action_status_admin"), _("Client-Splash"))
 
 	local page  = node("splash", "publicstatus")
 	page.target = call("action_status_public")
diff --git a/applications/luci-app-splash/luasrc/view/admin_status/splash.htm b/applications/luci-app-splash/luasrc/view/admin_status/splash.htm
index 23982d449..3415c205d 100644
--- a/applications/luci-app-splash/luasrc/view/admin_status/splash.htm
+++ b/applications/luci-app-splash/luasrc/view/admin_status/splash.htm
@@ -214,7 +214,7 @@ end
 	<fieldset id="cbi-table-table" class="cbi-section">
 		<legend><%:Active Clients%></legend>
 		<div class="cbi-section-node">
-			<% if is_admin then %><form action="<%=REQUEST_URI%>" method="post"><% end %>
+			<% if is_admin then %><form action="<%=REQUEST_URI%>" method="post"><input type="hidden" name="token" value="<%=token%>" /><% end %>
 			<table class="cbi-section-table">
 				<thead>
 					<tr class="cbi-section-table-titles">