luci-base: protect CBI forms with CSRF tokens

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
author: Jo-Philipp Wich <jow@openwrt.org> 2015-10-06 18:54:35 +0200
committer: Jo-Philipp Wich <jow@openwrt.org> 2015-10-06 18:54:35 +0200
commit: 8d46c20327509dbafa3fd0dc4e4426765244c5a1 (patch)
tree: 3bf13d177475b1f347530c93813e2d86f1bec1e4 /modules/luci-base/luasrc/dispatcher.lua
parent: 5a6382171da2c941e17d050cd357629f40541cb6 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 798e3e6ce6..a402d023b3 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -743,6 +743,15 @@ local function _cbi(self, ...)
 	local cbi = require "luci.cbi"
 	local tpl = require "luci.template"
 	local http = require "luci.http"
+	local disp = require "luci.dispatcher"
+
+	if http.formvalue("cbi.submit") == "1" and
+	   http.formvalue("token") ~= disp.context.urltoken.stok
+	then
+		http.status(403, "Forbidden")
+		luci.template.render("csrftoken")
+		return
+	end
 
 	local config = self.config or {}
 	local maps = cbi.load(self.model, ...)
author	Jo-Philipp Wich <jow@openwrt.org>	2015-10-06 18:54:35 +0200
committer	Jo-Philipp Wich <jow@openwrt.org>	2015-10-06 18:54:35 +0200
commit	8d46c20327509dbafa3fd0dc4e4426765244c5a1 (patch)
tree	3bf13d177475b1f347530c93813e2d86f1bec1e4 /modules/luci-base/luasrc/dispatcher.lua
parent	5a6382171da2c941e17d050cd357629f40541cb6 (diff)