diff options
Diffstat (limited to 'modules/luci-base/luasrc')
| -rw-r--r-- | modules/luci-base/luasrc/dispatcher.lua | 26 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/view/csrftoken.htm | 24 |
2 files changed, 50 insertions, 0 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index 8b8d1fa34..798e3e6ce 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -1,4 +1,5 @@ -- Copyright 2008 Steven Barth <steven@midlink.org> +-- Copyright 2008-2015 Jo-Philipp Wich <jow@openwrt.org> -- Licensed to the public under the Apache License 2.0. local fs = require "nixio.fs" @@ -284,6 +285,7 @@ function dispatch(request) resource = luci.config.main.resourcebase; ifattr = function(...) return _ifattr(...) end; attr = function(...) return _ifattr(true, ...) end; + token = ctx.urltoken.stok; }, {__index=function(table, key) if key == "controller" then return build_url() @@ -378,6 +380,20 @@ function dispatch(request) end end + if c and type(c.target) == "table" and c.target.post == true then + if http.getenv("REQUEST_METHOD") ~= "POST" then + http.status(405, "Method Not Allowed") + http.header("Allow", "POST") + return + end + + if http.formvalue("token") ~= ctx.urltoken.stok then + http.status(403, "Forbidden") + luci.template.render("csrftoken") + return + end + end + if track.setgroup then sys.process.setgroup(track.setgroup) end @@ -703,6 +719,16 @@ function call(name, ...) return {type = "call", argv = {...}, name = name, target = _call} end +function post(name, ...) + return { + type = "call", + post = true, + argv = { ... }, + name = name, + target = _call + } +end + local _template = function(self, ...) require "luci.template".render(self.view) diff --git a/modules/luci-base/luasrc/view/csrftoken.htm b/modules/luci-base/luasrc/view/csrftoken.htm new file mode 100644 index 000000000..57ac03f3b --- /dev/null +++ b/modules/luci-base/luasrc/view/csrftoken.htm @@ -0,0 +1,24 @@ +<%# + Copyright 2015 Jo-Philipp Wich <jow@openwrt.org> + Licensed to the public under the Apache License 2.0. +-%> + +<%+header%> + +<h2 name="content"><%:Form token mismatch%></h2> +<br /> + +<p class="alert-message"><%:The submitted security token is invalid or already expired!%></p> + +<p><%: + In order to prevent unauthorized access to the system, your request has + been blocked. Click "Continue »" below to return to the previous page. +%></p> + +<hr /> + +<p class="right"> + <strong><a href="#" onclick="window.history.back();">Continue »</a></strong> +</p> + +<%+footer%> |