Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

luci-base: protect simpleforms with CSRF tokens

Browse source 
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
This commit is contained in:
Jo-Philipp Wich 2015-10-07 12:24:51 +02:00
parent 38a9993bd1
commit 3f29078fb9
2 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
modules/luci-base/luasrc/dispatcher.lua
View file

@ -869,6 +869,15 @@ local function _form(self, ...)
local cbi = require "luci.cbi" local cbi = require "luci.cbi"
local tpl = require "luci.template" local tpl = require "luci.template"
local http = require "luci.http" local http = require "luci.http"
local disp = require "luci.dispatcher"
if http.formvalue("cbi.submit") == "1" and
http.formvalue("token") ~= disp.context.urltoken.stok
then
http.status(403, "Forbidden")
luci.template.render("csrftoken")
return
end
local maps = luci.cbi.load(self.model, ...) local maps = luci.cbi.load(self.model, ...)
local state = nil local state = nil

1
modules/luci-base/luasrc/view/cbi/simpleform.htm
View file

@ -2,6 +2,7 @@
<form method="post" enctype="multipart/form-data" action="<%=REQUEST_URI%>"> <form method="post" enctype="multipart/form-data" action="<%=REQUEST_URI%>">
<div> <div>
<script type="text/javascript" src="<%=resource%>/cbi.js"></script> <script type="text/javascript" src="<%=resource%>/cbi.js"></script>
<input type="hidden" name="token" value="<%=token%>" />
<input type="hidden" name="cbi.submit" value="1" /> <input type="hidden" name="cbi.submit" value="1" />
</div> </div>
<% end %> <% end %>