luci-app-privoxy: protect start/stop actions with csrf token

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

diff --git a/applications/luci-app-privoxy/luasrc/controller/privoxy.lua b/applications/luci-app-privoxy/luasrc/controller/privoxy.lua
index 58ba80724c6e362428ec10f64af2ffb1a72598e7..0cedab48ae80076bf08ba28b90573ab54058da95 100644 (file)
--- a/applications/luci-app-privoxy/luasrc/controller/privoxy.lua
+++ b/applications/luci-app-privoxy/luasrc/controller/privoxy.lua
@@ -15,7 +15,7 @@ PRIVOXY_MIN = "3.0.22-0"      -- minimum version of service required
 function index()
        entry( {"admin", "services", "privoxy"}, cbi("privoxy"), _("Privoxy WEB proxy"), 59)
        entry( {"admin", "services", "privoxy", "logview"}, call("logread") ).leaf = true
-       entry( {"admin", "services", "privoxy", "startstop"}, call("startstop") ).leaf = true
+       entry( {"admin", "services", "privoxy", "startstop"}, post("startstop") ).leaf = true
        entry( {"admin", "services", "privoxy", "status"}, call("get_pid") ).leaf = true
 end
 

diff --git a/applications/luci-app-privoxy/luasrc/view/privoxy/detail_startstop.htm b/applications/luci-app-privoxy/luasrc/view/privoxy/detail_startstop.htm
index 8c97daeee2f09cec629d211c12ada5732a183bd9..85975ac7d16a7c9d139c3f9aa88909983f22a3c0 100644 (file)
--- a/applications/luci-app-privoxy/luasrc/view/privoxy/detail_startstop.htm
+++ b/applications/luci-app-privoxy/luasrc/view/privoxy/detail_startstop.htm
@@ -21,7 +21,7 @@
        function onclick_startstop(id) {
                // do start/stop
                var btnXHR = new XHR();
-               btnXHR.get('<%=url('admin/services/privoxy/startstop')%>', null,
+               btnXHR.post('<%=url('admin/services/privoxy/startstop')%>', { token: '<%=token%>' },
                        function(x) { _data2elements(x); }
                );
        }