diff options
| -rw-r--r-- | modules/luci-base/luasrc/dispatcher.lua | 9 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/view/cbi/simpleform.htm | 1 |
2 files changed, 10 insertions, 0 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index a402d023b3..28dfd18bbe 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -869,6 +869,15 @@ local function _form(self, ...) local cbi = require "luci.cbi" local tpl = require "luci.template" local http = require "luci.http" + local disp = require "luci.dispatcher" + + if http.formvalue("cbi.submit") == "1" and + http.formvalue("token") ~= disp.context.urltoken.stok + then + http.status(403, "Forbidden") + luci.template.render("csrftoken") + return + end local maps = luci.cbi.load(self.model, ...) local state = nil diff --git a/modules/luci-base/luasrc/view/cbi/simpleform.htm b/modules/luci-base/luasrc/view/cbi/simpleform.htm index 437a07a8bd..78f5c5a544 100644 --- a/modules/luci-base/luasrc/view/cbi/simpleform.htm +++ b/modules/luci-base/luasrc/view/cbi/simpleform.htm @@ -2,6 +2,7 @@ <form method="post" enctype="multipart/form-data" action="<%=REQUEST_URI%>"> <div> <script type="text/javascript" src="<%=resource%>/cbi.js"></script> + <input type="hidden" name="token" value="<%=token%>" /> <input type="hidden" name="cbi.submit" value="1" /> </div> <% end %> |