Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

luci-base: dispatcher: reject non-POST requests with any cbi.submit value

Browse source 
Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while
the dispatcher only required POST for cbi.submit == 1, the CSRF token
protection could be bypassed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This commit is contained in:
Jo-Philipp Wich 2018-04-05 00:15:22 +02:00
parent 697db81246
commit 186e690c08
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
modules/luci-base/luasrc/dispatcher.lua
View file

@ -892,7 +892,7 @@ end
function cbi(model, config) function cbi(model, config)
return { return {
type = "cbi", type = "cbi",
post = { ["cbi.submit"] = "1" }, post = { ["cbi.submit"] = true },
config = config, config = config,
model = model, model = model,
target = _cbi target = _cbi
@ -938,7 +938,7 @@ end
function form(model) function form(model)
return { return {
type = "cbi", type = "cbi",
post = { ["cbi.submit"] = "1" }, post = { ["cbi.submit"] = true },
model = model, model = model,
target = _form target = _form
} }