summaryrefslogtreecommitdiffhomepage
path: root/modules/luci-base/luasrc/dispatcher.lua
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2015-10-07 12:24:51 +0200
committerJo-Philipp Wich <jow@openwrt.org>2015-10-07 12:24:58 +0200
commit3f29078fb938be66a0eb43bf50819c5f15e6d606 (patch)
tree496e40ce910a10144d883d37c23bd5ab308423ac /modules/luci-base/luasrc/dispatcher.lua
parent38a9993bd1bf0024639e19a9c25328a9d5d5954e (diff)
luci-base: protect simpleforms with CSRF tokens
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Diffstat (limited to 'modules/luci-base/luasrc/dispatcher.lua')
-rw-r--r--modules/luci-base/luasrc/dispatcher.lua9
1 files changed, 9 insertions, 0 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index a402d023b3..28dfd18bbe 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -869,6 +869,15 @@ local function _form(self, ...)
local cbi = require "luci.cbi"
local tpl = require "luci.template"
local http = require "luci.http"
+ local disp = require "luci.dispatcher"
+
+ if http.formvalue("cbi.submit") == "1" and
+ http.formvalue("token") ~= disp.context.urltoken.stok
+ then
+ http.status(403, "Forbidden")
+ luci.template.render("csrftoken")
+ return
+ end
local maps = luci.cbi.load(self.model, ...)
local state = nil