projects / project / luci.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b9ed03c)
luci-app-ocserv: protect disconnect action with csrf token
authorJo-Philipp Wich <jow@openwrt.org>
Tue, 20 Oct 2015 22:00:55 +0000 (00:00 +0200)
committerJo-Philipp Wich <jow@openwrt.org>
Tue, 20 Oct 2015 22:00:55 +0000 (00:00 +0200)
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
applications/luci-app-ocserv/luasrc/controller/ocserv.lua patch | blob | history
applications/luci-app-ocserv/luasrc/view/ocserv_status.htm patch | blob | history

diff --git a/applications/luci-app-ocserv/luasrc/controller/ocserv.lua b/applications/luci-app-ocserv/luasrc/controller/ocserv.lua
index dbeaaf8..79c6ddb 100644 (file)
--- a/applications/luci-app-ocserv/luasrc/controller/ocserv.lua
+++ b/applications/luci-app-ocserv/luasrc/controller/ocserv.lua
@@ -28,7 +28,7 @@ function index()
                call("ocserv_status")).leaf = true
 
        entry({"admin", "services", "ocserv", "disconnect"},
                call("ocserv_status")).leaf = true
 
        entry({"admin", "services", "ocserv", "disconnect"},
-               call("ocserv_disconnect")).leaf = true
+               post("ocserv_disconnect")).leaf = true
 
 end
 
 
 end
 
diff --git a/applications/luci-app-ocserv/luasrc/view/ocserv_status.htm b/applications/luci-app-ocserv/luasrc/view/ocserv_status.htm
index 138b039..03a9ed7 100644 (file)
--- a/applications/luci-app-ocserv/luasrc/view/ocserv_status.htm
+++ b/applications/luci-app-ocserv/luasrc/view/ocserv_status.htm
@@ -1,7 +1,7 @@
 <script type="text/javascript">//<![CDATA[
 
        function ocserv_disconnect(idx) {
 <script type="text/javascript">//<![CDATA[
 
        function ocserv_disconnect(idx) {
-               XHR.get('<%=url('admin/services/ocserv/disconnect')%>/' + idx, null,
+               (new XHR()).post('<%=url('admin/services/ocserv/disconnect')%>/' + idx, { token: '<%=token%>' },
                        function(x)
                        {
                                var tb = document.getElementById('ocserv_status_table');
                        function(x)
                        {
                                var tb = document.getElementById('ocserv_status_table');
Lua Configuration Interface (mirror)