From: Jo-Philipp Wich Date: Wed, 7 Oct 2015 10:24:51 +0000 (+0200) Subject: luci-base: protect simpleforms with CSRF tokens X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=3f29078fb938be66a0eb43bf50819c5f15e6d606;p=project%2Fluci.git luci-base: protect simpleforms with CSRF tokens Signed-off-by: Jo-Philipp Wich --- diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index a402d023b3..28dfd18bbe 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -869,6 +869,15 @@ local function _form(self, ...) local cbi = require "luci.cbi" local tpl = require "luci.template" local http = require "luci.http" + local disp = require "luci.dispatcher" + + if http.formvalue("cbi.submit") == "1" and + http.formvalue("token") ~= disp.context.urltoken.stok + then + http.status(403, "Forbidden") + luci.template.render("csrftoken") + return + end local maps = luci.cbi.load(self.model, ...) local state = nil diff --git a/modules/luci-base/luasrc/view/cbi/simpleform.htm b/modules/luci-base/luasrc/view/cbi/simpleform.htm index 437a07a8bd..78f5c5a544 100644 --- a/modules/luci-base/luasrc/view/cbi/simpleform.htm +++ b/modules/luci-base/luasrc/view/cbi/simpleform.htm @@ -2,6 +2,7 @@
+
<% end %>