diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2015-10-07 12:24:51 +0200 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2015-10-07 12:24:58 +0200 |
commit | 3f29078fb938be66a0eb43bf50819c5f15e6d606 (patch) | |
tree | 496e40ce910a10144d883d37c23bd5ab308423ac /modules/luci-base/luasrc/dispatcher.lua | |
parent | 38a9993bd1bf0024639e19a9c25328a9d5d5954e (diff) |
luci-base: protect simpleforms with CSRF tokens
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Diffstat (limited to 'modules/luci-base/luasrc/dispatcher.lua')
-rw-r--r-- | modules/luci-base/luasrc/dispatcher.lua | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index a402d023b3..28dfd18bbe 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -869,6 +869,15 @@ local function _form(self, ...) local cbi = require "luci.cbi" local tpl = require "luci.template" local http = require "luci.http" + local disp = require "luci.dispatcher" + + if http.formvalue("cbi.submit") == "1" and + http.formvalue("token") ~= disp.context.urltoken.stok + then + http.status(403, "Forbidden") + luci.template.render("csrftoken") + return + end local maps = luci.cbi.load(self.model, ...) local state = nil |