luci-base: fix CSRF prevention for arcombine targets
The dispatcher failed to propagate the child target post security
requirements to the arcombine() dispatch target so far - fix this
by recursively testing the post security requirements.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit f8c6eb67cd)
This commit is contained in:
Jo-Philipp Wich
parent
f59d069d12
commit
ce63a03692
1 changed files with 6 additions and 2 deletions
|
|
@ -149,7 +149,11 @@ function httpdispatch(request, prefix)
|
||||||
--context._disable_memtrace()
|
--context._disable_memtrace()
|
||||||
end
|
end
|
||||||
|
|
||||||
local function require_post_security(target)
|
local function require_post_security(target, args)
|
||||||
|
if type(target) == "table" and target.type == "arcombine" and type(target.targets) == "table" then
|
||||||
|
return require_post_security((type(args) == "table" and #args > 0) and target.targets[2] or target.targets[1], args)
|
||||||
|
end
|
||||||
|
|
||||||
if type(target) == "table" then
|
if type(target) == "table" then
|
||||||
if type(target.post) == "table" then
|
if type(target.post) == "table" then
|
||||||
local param_name, required_val, request_val
|
local param_name, required_val, request_val
|
||||||
|
|
@ -470,7 +474,7 @@ function dispatch(request)
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
if c and require_post_security(c.target) then
|
if c and require_post_security(c.target, args) then
|
||||||
if not test_post_security(c) then
|
if not test_post_security(c) then
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue