From 8d46c20327509dbafa3fd0dc4e4426765244c5a1 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jow@openwrt.org>
Date: Tue, 6 Oct 2015 18:54:35 +0200
Subject: luci-base: protect CBI forms with CSRF tokens

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
---
 modules/luci-base/luasrc/dispatcher.lua | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'modules/luci-base/luasrc/dispatcher.lua')

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 798e3e6ce6..a402d023b3 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -743,6 +743,15 @@ local function _cbi(self, ...)
 	local cbi = require "luci.cbi"
 	local tpl = require "luci.template"
 	local http = require "luci.http"
+	local disp = require "luci.dispatcher"
+
+	if http.formvalue("cbi.submit") == "1" and
+	   http.formvalue("token") ~= disp.context.urltoken.stok
+	then
+		http.status(403, "Forbidden")
+		luci.template.render("csrftoken")
+		return
+	end
 
 	local config = self.config or {}
 	local maps = cbi.load(self.model, ...)
-- 
cgit v1.2.3