summaryrefslogtreecommitdiffhomepage
path: root/modules/luci-base/luasrc
diff options
context:
space:
mode:
authorJo-Philipp Wich <jo@mein.io>2019-10-09 09:55:44 +0200
committerJo-Philipp Wich <jo@mein.io>2019-10-09 09:55:44 +0200
commitf8c6eb67cd9da09ee20248fec6ab742069635e47 (patch)
treefad932d2aed191055e601959f47a2418c7a18ef6 /modules/luci-base/luasrc
parent6d70b303ede58fb08598ffaa829a3ec80a3f34bd (diff)
luci-base: fix CSRF prevention for arcombine targets
The dispatcher failed to propagate the child target post security requirements to the arcombine() dispatch target so far - fix this by recursively testing the post security requirements. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'modules/luci-base/luasrc')
-rw-r--r--modules/luci-base/luasrc/dispatcher.lua8
1 files changed, 6 insertions, 2 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index e8106b741d..f571144566 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -149,7 +149,11 @@ function httpdispatch(request, prefix)
--context._disable_memtrace()
end
-local function require_post_security(target)
+local function require_post_security(target, args)
+ if type(target) == "table" and target.type == "arcombine" and type(target.targets) == "table" then
+ return require_post_security((type(args) == "table" and #args > 0) and target.targets[2] or target.targets[1], args)
+ end
+
if type(target) == "table" then
if type(target.post) == "table" then
local param_name, required_val, request_val
@@ -470,7 +474,7 @@ function dispatch(request)
return
end
- if c and require_post_security(c.target) then
+ if c and require_post_security(c.target, args) then
if not test_post_security(c) then
return
end