From 3f29078fb938be66a0eb43bf50819c5f15e6d606 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jow@openwrt.org>
Date: Wed, 7 Oct 2015 12:24:51 +0200
Subject: [PATCH] luci-base: protect simpleforms with CSRF tokens

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
---
 modules/luci-base/luasrc/dispatcher.lua          | 9 +++++++++
 modules/luci-base/luasrc/view/cbi/simpleform.htm | 1 +
 2 files changed, 10 insertions(+)

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index a402d023b..28dfd18bb 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -869,6 +869,15 @@ local function _form(self, ...)
 	local cbi = require "luci.cbi"
 	local tpl = require "luci.template"
 	local http = require "luci.http"
+	local disp = require "luci.dispatcher"
+
+	if http.formvalue("cbi.submit") == "1" and
+	   http.formvalue("token") ~= disp.context.urltoken.stok
+	then
+		http.status(403, "Forbidden")
+		luci.template.render("csrftoken")
+		return
+	end
 
 	local maps = luci.cbi.load(self.model, ...)
 	local state = nil
diff --git a/modules/luci-base/luasrc/view/cbi/simpleform.htm b/modules/luci-base/luasrc/view/cbi/simpleform.htm
index 437a07a8b..78f5c5a54 100644
--- a/modules/luci-base/luasrc/view/cbi/simpleform.htm
+++ b/modules/luci-base/luasrc/view/cbi/simpleform.htm
@@ -2,6 +2,7 @@
 <form method="post" enctype="multipart/form-data" action="<%=REQUEST_URI%>">
 	<div>
 		<script type="text/javascript" src="<%=resource%>/cbi.js"></script>
+		<input type="hidden" name="token" value="<%=token%>" />
 		<input type="hidden" name="cbi.submit" value="1" />
 	</div>
 <% end %>
-- 
2.11.0