luci-app-ocserv: protect disconnect action with csrf token
authorJo-Philipp Wich <jow@openwrt.org>
Tue, 20 Oct 2015 22:00:55 +0000 (00:00 +0200)
committerJo-Philipp Wich <jow@openwrt.org>
Tue, 20 Oct 2015 22:00:55 +0000 (00:00 +0200)
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
applications/luci-app-ocserv/luasrc/controller/ocserv.lua
applications/luci-app-ocserv/luasrc/view/ocserv_status.htm

index dbeaaf8524b15368e42766239c0052aadebed6a5..79c6ddb78e12040a63e646e608945f7bf325d6d0 100644 (file)
@@ -28,7 +28,7 @@ function index()
                call("ocserv_status")).leaf = true
 
        entry({"admin", "services", "ocserv", "disconnect"},
-               call("ocserv_disconnect")).leaf = true
+               post("ocserv_disconnect")).leaf = true
 
 end
 
index 138b03915a70ff16dbd48c69168dd976eafccbd0..03a9ed70ee56fa981139f2e604b8bbf42a6df258 100644 (file)
@@ -1,7 +1,7 @@
 <script type="text/javascript">//<![CDATA[
 
        function ocserv_disconnect(idx) {
-               XHR.get('<%=url('admin/services/ocserv/disconnect')%>/' + idx, null,
+               (new XHR()).post('<%=url('admin/services/ocserv/disconnect')%>/' + idx, { token: '<%=token%>' },
                        function(x)
                        {
                                var tb = document.getElementById('ocserv_status_table');