From b9ed03c5a9a52c17b30f3fb61b81ce1c2ee0ea6e Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 20 Oct 2015 23:58:01 +0200 Subject: [PATCH] luci-app-ddns: protect start/stop actions with csrf token Signed-off-by: Jo-Philipp Wich --- applications/luci-app-ddns/luasrc/controller/ddns.lua | 2 +- applications/luci-app-ddns/luasrc/view/ddns/overview_status.htm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/applications/luci-app-ddns/luasrc/controller/ddns.lua b/applications/luci-app-ddns/luasrc/controller/ddns.lua index 946dfefbc..4fbd3c3fc 100644 --- a/applications/luci-app-ddns/luasrc/controller/ddns.lua +++ b/applications/luci-app-ddns/luasrc/controller/ddns.lua @@ -38,7 +38,7 @@ function index() {hideapplybtn=true, hidesavebtn=true, hideresetbtn=true}), nil ).leaf = true entry( {"admin", "services", "ddns", "global"}, cbi("ddns/global"), nil ).leaf = true entry( {"admin", "services", "ddns", "logview"}, call("logread") ).leaf = true - entry( {"admin", "services", "ddns", "startstop"}, call("startstop") ).leaf = true + entry( {"admin", "services", "ddns", "startstop"}, post("startstop") ).leaf = true entry( {"admin", "services", "ddns", "status"}, call("status") ).leaf = true end diff --git a/applications/luci-app-ddns/luasrc/view/ddns/overview_status.htm b/applications/luci-app-ddns/luasrc/view/ddns/overview_status.htm index 546481222..b6d4ebb9f 100644 --- a/applications/luci-app-ddns/luasrc/view/ddns/overview_status.htm +++ b/applications/luci-app-ddns/luasrc/view/ddns/overview_status.htm @@ -136,7 +136,7 @@ // do start/stop var btnXHR = new XHR(); - btnXHR.get('<%=url('admin/services/ddns/startstop')%>/' + section + '/' + cbx.checked, null, + btnXHR.post('<%=url('admin/services/ddns/startstop')%>/' + section + '/' + cbx.checked, { token: '<%=token%>' }, function(x, data) { if (x.responseText == "_uncommitted_") { // we need a trick to display Ampersand "&" in stead of "&" or "&" -- 2.11.0