luci-base: dispatcher expose test_post_security()
Allows external code to perform POST and token checking manually. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
This commit is contained in:
Jo-Philipp Wich
parent
79383f5a74
commit
d32c685039
1 changed files with 17 additions and 9 deletions
|
|
@ -172,6 +172,22 @@ local function require_post_security(target)
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
function test_post_security()
|
||||||
|
if http.getenv("REQUEST_METHOD") ~= "POST" then
|
||||||
|
http.status(405, "Method Not Allowed")
|
||||||
|
http.header("Allow", "POST")
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
|
if http.formvalue("token") ~= context.authtoken then
|
||||||
|
http.status(403, "Forbidden")
|
||||||
|
luci.template.render("csrftoken")
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
|
||||||
function dispatch(request)
|
function dispatch(request)
|
||||||
--context._disable_memtrace = require "luci.debug".trap_memtrace("l")
|
--context._disable_memtrace = require "luci.debug".trap_memtrace("l")
|
||||||
local ctx = context
|
local ctx = context
|
||||||
|
|
@ -376,15 +392,7 @@ function dispatch(request)
|
||||||
end
|
end
|
||||||
|
|
||||||
if c and require_post_security(c.target) then
|
if c and require_post_security(c.target) then
|
||||||
if http.getenv("REQUEST_METHOD") ~= "POST" then
|
if not test_post_security(c) then
|
||||||
http.status(405, "Method Not Allowed")
|
|
||||||
http.header("Allow", "POST")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
if http.formvalue("token") ~= ctx.authtoken then
|
|
||||||
http.status(403, "Forbidden")
|
|
||||||
luci.template.render("csrftoken")
|
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue