luci-base: protect simpleforms with CSRF tokens

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index a402d02..28dfd18 100644 (file)
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -869,6 +869,15 @@ local function _form(self, ...)
        local cbi = require "luci.cbi"
        local tpl = require "luci.template"
        local http = require "luci.http"
+       local disp = require "luci.dispatcher"
+
+       if http.formvalue("cbi.submit") == "1" and
+          http.formvalue("token") ~= disp.context.urltoken.stok
+       then
+               http.status(403, "Forbidden")
+               luci.template.render("csrftoken")
+               return
+       end
 
        local maps = luci.cbi.load(self.model, ...)
        local state = nil

diff --git a/modules/luci-base/luasrc/view/cbi/simpleform.htm b/modules/luci-base/luasrc/view/cbi/simpleform.htm
index 437a07a..78f5c5a 100644 (file)
--- a/modules/luci-base/luasrc/view/cbi/simpleform.htm
+++ b/modules/luci-base/luasrc/view/cbi/simpleform.htm
@@ -2,6 +2,7 @@
 <form method="post" enctype="multipart/form-data" action="<%=REQUEST_URI%>">
        <div>
                <script type="text/javascript" src="<%=resource%>/cbi.js"></script>
+               <input type="hidden" name="token" value="<%=token%>" />
                <input type="hidden" name="cbi.submit" value="1" />
        </div>
 <% end %>