luci-mod-admin-full: switch to POST actions for UCI changes

Switches UCI apply/revert/save to CSRF token protected POST actions. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
2015-10-06 22:29:07 +02:00 · 2015-10-06 22:29:07 +02:00 · e440144d56
commit e440144d56
parent 9b75d8ec36
2 changed files with 11 additions and 8 deletions
--- a/modules/luci-mod-admin-full/luasrc/controller/admin/uci.lua
+++ b/modules/luci-mod-admin-full/luasrc/controller/admin/uci.lua
@ -1,5 +1,5 @@
 -- Copyright 2008 Steven Barth <steven@midlink.org>
-- Copyright 2010 Jo-Philipp Wich <jow@openwrt.org>
+-- Copyright 2010-2015 Jo-Philipp Wich <jow@openwrt.org>
 -- Licensed to the public under the Apache License 2.0.
 module("luci.controller.admin.uci", package.seeall)
@ -10,9 +10,9 @@ function index()
 	entry({"admin", "uci"}, nil, _("Configuration"))
 	entry({"admin", "uci", "changes"}, call("action_changes"), _("Changes"), 40).query = {redir=redir}
-	entry({"admin", "uci", "revert"}, call("action_revert"), _("Revert"), 30).query = {redir=redir}
+	entry({"admin", "uci", "revert"}, post("action_revert"), _("Revert"), 30).query = {redir=redir}
-	entry({"admin", "uci", "apply"}, call("action_apply"), _("Apply"), 20).query = {redir=redir}
+	entry({"admin", "uci", "apply"}, post("action_apply"), _("Apply"), 20).query = {redir=redir}
-	entry({"admin", "uci", "saveapply"}, call("action_apply"), _("Save &#38; Apply"), 10).query = {redir=redir}
+	entry({"admin", "uci", "saveapply"}, post("action_apply"), _("Save &#38; Apply"), 10).query = {redir=redir}
 end
 function action_changes()
--- a/modules/luci-mod-admin-full/luasrc/view/admin_uci/changes.htm
+++ b/modules/luci-mod-admin-full/luasrc/view/admin_uci/changes.htm
@ -1,6 +1,6 @@
 <%#
 Copyright 2008 Steven Barth <steven@midlink.org>
- Copyright 2008 Jo-Philipp Wich <jow@openwrt.org>
+ Copyright 2008-2015 Jo-Philipp Wich <jow@openwrt.org>
 Licensed to the public under the Apache License 2.0.
 -%>
@ -25,15 +25,18 @@
 	<% end %>
 	<div style="text-align:right">
-		<form class="inline" method="get" action="<%=controller%>/admin/uci/apply">
+		<form class="inline" method="post" action="<%=controller%>/admin/uci/apply">
 			<input type="hidden" name="token" value="<%=token%>" />
 			<input type="hidden" name="redir" value="<%=pcdata(luci.http.formvalue("redir"))%>" />
 			<input class="cbi-button cbi-button-apply" type="submit" value="<%:Apply%>" />
 		</form>
-		<form class="inline" method="get" action="<%=controller%>/admin/uci/saveapply">
+		<form class="inline" method="post" action="<%=controller%>/admin/uci/saveapply">
 			<input type="hidden" name="token" value="<%=token%>" />
 			<input type="hidden" name="redir" value="<%=pcdata(luci.http.formvalue("redir"))%>" />
 			<input class="cbi-button cbi-button-save" type="submit" value="<%:Save & Apply%>" />
 		</form>
-		<form class="inline" method="get" action="<%=controller%>/admin/uci/revert">
+		<form class="inline" method="post" action="<%=controller%>/admin/uci/revert">
 			<input type="hidden" name="token" value="<%=token%>" />
 			<input type="hidden" name="redir" value="<%=pcdata(luci.http.formvalue("redir"))%>" />
 			<input class="cbi-button cbi-button-reset" type="submit" value="<%:Revert%>" />
 		</form>