luci-app-privoxy: protect start/stop actions with csrf token

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

applications/luci-app-privoxy/luasrc/controller/privoxy.lua

@@ -15,7 +15,7 @@ PRIVOXY_MIN = "3.0.22-0"	-- minimum version of service required
 function index()
 	entry( {"admin", "services", "privoxy"}, cbi("privoxy"), _("Privoxy WEB proxy"), 59)
 	entry( {"admin", "services", "privoxy", "logview"}, call("logread") ).leaf = true
-	entry( {"admin", "services", "privoxy", "startstop"}, call("startstop") ).leaf = true
+	entry( {"admin", "services", "privoxy", "startstop"}, post("startstop") ).leaf = true
 	entry( {"admin", "services", "privoxy", "status"}, call("get_pid") ).leaf = true
 end
 

applications/luci-app-privoxy/luasrc/view/privoxy/detail_startstop.htm

@@ -21,7 +21,7 @@
 	function onclick_startstop(id) {
 		// do start/stop
 		var btnXHR = new XHR();
-		btnXHR.get('<%=url('admin/services/privoxy/startstop')%>', null,
+		btnXHR.post('<%=url('admin/services/privoxy/startstop')%>', { token: '<%=token%>' },
 			function(x) { _data2elements(x); }
 		);
 	}