luci-base: dispatcher: reject non-POST requests with any cbi.submit value

Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while
the dispatcher only required POST for cbi.submit == 1, the CSRF token
protection could be bypassed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 24681368d708a6d184149ba796fb84f58ae55c5c..c93fd78a1bf358765f4206f8491756eca646fec2 100644 (file)
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -892,7 +892,7 @@ end
 function cbi(model, config)
        return {
                type = "cbi",
-               post = { ["cbi.submit"] = "1" },
+               post = { ["cbi.submit"] = true },
                config = config,
                model = model,
                target = _cbi
@@ -938,7 +938,7 @@ end
 function form(model)
        return {
                type = "cbi",
-               post = { ["cbi.submit"] = "1" },
+               post = { ["cbi.submit"] = true },
                model = model,
                target = _form
        }