luci-app-ocserv: protect disconnect action with csrf token

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
2015-10-21 00:00:55 +02:00 · 2015-10-21 00:00:55 +02:00 · 0f1f5140e3
commit 0f1f5140e3
parent b9ed03c5a9
2 changed files with 2 additions and 2 deletions
--- a/applications/luci-app-ocserv/luasrc/controller/ocserv.lua
+++ b/applications/luci-app-ocserv/luasrc/controller/ocserv.lua
@ -28,7 +28,7 @@ function index()
 		call("ocserv_status")).leaf = true

 	entry({"admin", "services", "ocserv", "disconnect"},
-		call("ocserv_disconnect")).leaf = true
+		post("ocserv_disconnect")).leaf = true

 end

--- a/applications/luci-app-ocserv/luasrc/view/ocserv_status.htm
+++ b/applications/luci-app-ocserv/luasrc/view/ocserv_status.htm
@ -1,7 +1,7 @@
 <script type="text/javascript">//<![CDATA[

 	function ocserv_disconnect(idx) {
-		XHR.get('<%=url('admin/services/ocserv/disconnect')%>/' + idx, null,
+		(new XHR()).post('<%=url('admin/services/ocserv/disconnect')%>/' + idx, { token: '<%=token%>' },
 			function(x)
 			{
 				var tb = document.getElementById('ocserv_status_table');