summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--modules/luci-base/luasrc/dispatcher.lua26
-rw-r--r--modules/luci-base/luasrc/view/csrftoken.htm24
2 files changed, 50 insertions, 0 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 8b8d1fa349..798e3e6ce6 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -1,4 +1,5 @@
-- Copyright 2008 Steven Barth <steven@midlink.org>
+-- Copyright 2008-2015 Jo-Philipp Wich <jow@openwrt.org>
-- Licensed to the public under the Apache License 2.0.
local fs = require "nixio.fs"
@@ -284,6 +285,7 @@ function dispatch(request)
resource = luci.config.main.resourcebase;
ifattr = function(...) return _ifattr(...) end;
attr = function(...) return _ifattr(true, ...) end;
+ token = ctx.urltoken.stok;
}, {__index=function(table, key)
if key == "controller" then
return build_url()
@@ -378,6 +380,20 @@ function dispatch(request)
end
end
+ if c and type(c.target) == "table" and c.target.post == true then
+ if http.getenv("REQUEST_METHOD") ~= "POST" then
+ http.status(405, "Method Not Allowed")
+ http.header("Allow", "POST")
+ return
+ end
+
+ if http.formvalue("token") ~= ctx.urltoken.stok then
+ http.status(403, "Forbidden")
+ luci.template.render("csrftoken")
+ return
+ end
+ end
+
if track.setgroup then
sys.process.setgroup(track.setgroup)
end
@@ -703,6 +719,16 @@ function call(name, ...)
return {type = "call", argv = {...}, name = name, target = _call}
end
+function post(name, ...)
+ return {
+ type = "call",
+ post = true,
+ argv = { ... },
+ name = name,
+ target = _call
+ }
+end
+
local _template = function(self, ...)
require "luci.template".render(self.view)
diff --git a/modules/luci-base/luasrc/view/csrftoken.htm b/modules/luci-base/luasrc/view/csrftoken.htm
new file mode 100644
index 0000000000..57ac03f3bf
--- /dev/null
+++ b/modules/luci-base/luasrc/view/csrftoken.htm
@@ -0,0 +1,24 @@
+<%#
+ Copyright 2015 Jo-Philipp Wich <jow@openwrt.org>
+ Licensed to the public under the Apache License 2.0.
+-%>
+
+<%+header%>
+
+<h2 name="content"><%:Form token mismatch%></h2>
+<br />
+
+<p class="alert-message"><%:The submitted security token is invalid or already expired!%></p>
+
+<p><%:
+ In order to prevent unauthorized access to the system, your request has
+ been blocked. Click "Continue »" below to return to the previous page.
+%></p>
+
+<hr />
+
+<p class="right">
+ <strong><a href="#" onclick="window.history.back();">Continue »</a></strong>
+</p>
+
+<%+footer%>