luci-app-privoxy: protect start/stop actions with csrf token

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

2 files changed, 2 insertions, 2 deletions

diff --git a/applications/luci-app-privoxy/luasrc/controller/privoxy.lua b/applications/luci-app-privoxy/luasrc/controller/privoxy.lua
index 58ba80724..0cedab48a 100644
--- a/applications/luci-app-privoxy/luasrc/controller/privoxy.lua
+++ b/applications/luci-app-privoxy/luasrc/controller/privoxy.lua
@@ -15,7 +15,7 @@ PRIVOXY_MIN = "3.0.22-0"	-- minimum version of service required
 function index()
 	entry( {"admin", "services", "privoxy"}, cbi("privoxy"), _("Privoxy WEB proxy"), 59)
 	entry( {"admin", "services", "privoxy", "logview"}, call("logread") ).leaf = true
-	entry( {"admin", "services", "privoxy", "startstop"}, call("startstop") ).leaf = true
+	entry( {"admin", "services", "privoxy", "startstop"}, post("startstop") ).leaf = true
 	entry( {"admin", "services", "privoxy", "status"}, call("get_pid") ).leaf = true
 end
 
diff --git a/applications/luci-app-privoxy/luasrc/view/privoxy/detail_startstop.htm b/applications/luci-app-privoxy/luasrc/view/privoxy/detail_startstop.htm
index 8c97daeee..85975ac7d 100644
--- a/applications/luci-app-privoxy/luasrc/view/privoxy/detail_startstop.htm
+++ b/applications/luci-app-privoxy/luasrc/view/privoxy/detail_startstop.htm
@@ -21,7 +21,7 @@
 	function onclick_startstop(id) {
 		// do start/stop
 		var btnXHR = new XHR();
-		btnXHR.get('<%=url('admin/services/privoxy/startstop')%>', null,
+		btnXHR.post('<%=url('admin/services/privoxy/startstop')%>', { token: '<%=token%>' },
 			function(x) { _data2elements(x); }
 		);
 	}