projects / project / luci.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5a63821)
luci-base: protect CBI forms with CSRF tokens
authorJo-Philipp Wich <jow@openwrt.org>
Tue, 6 Oct 2015 16:54:35 +0000 (18:54 +0200)
committerJo-Philipp Wich <jow@openwrt.org>
Tue, 6 Oct 2015 16:54:35 +0000 (18:54 +0200)
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
modules/luci-base/luasrc/dispatcher.lua patch | blob | history
modules/luci-base/luasrc/view/cbi/header.htm patch | blob | history

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 798e3e6..a402d02 100644 (file)
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -743,6 +743,15 @@ local function _cbi(self, ...)
        local cbi = require "luci.cbi"
        local tpl = require "luci.template"
        local http = require "luci.http"
        local cbi = require "luci.cbi"
        local tpl = require "luci.template"
        local http = require "luci.http"
+       local disp = require "luci.dispatcher"
+
+       if http.formvalue("cbi.submit") == "1" and
+          http.formvalue("token") ~= disp.context.urltoken.stok
+       then
+               http.status(403, "Forbidden")
+               luci.template.render("csrftoken")
+               return
+       end
 
        local config = self.config or {}
        local maps = cbi.load(self.model, ...)
 
        local config = self.config or {}
        local maps = cbi.load(self.model, ...)
diff --git a/modules/luci-base/luasrc/view/cbi/header.htm b/modules/luci-base/luasrc/view/cbi/header.htm
index 2bddaba..302df1d 100644 (file)
--- a/modules/luci-base/luasrc/view/cbi/header.htm
+++ b/modules/luci-base/luasrc/view/cbi/header.htm
@@ -2,6 +2,7 @@
 <form method="post" name="cbi" action="<%=REQUEST_URI%>" enctype="multipart/form-data" onreset="return cbi_validate_reset(this)" onsubmit="return cbi_validate_form(this, '<%:Some fields are invalid, cannot save values!%>')">
        <div>
                <script type="text/javascript" src="<%=resource%>/cbi.js"></script>
 <form method="post" name="cbi" action="<%=REQUEST_URI%>" enctype="multipart/form-data" onreset="return cbi_validate_reset(this)" onsubmit="return cbi_validate_form(this, '<%:Some fields are invalid, cannot save values!%>')">
        <div>
                <script type="text/javascript" src="<%=resource%>/cbi.js"></script>
+               <input type="hidden" name="token" value="<%=token%>" />
                <input type="hidden" name="cbi.submit" value="1" />
                <input type="submit" value="<%:Save%>" class="hidden" />
        </div>
                <input type="hidden" name="cbi.submit" value="1" />
                <input type="submit" value="<%:Save%>" class="hidden" />
        </div>
Lua Configuration Interface (mirror)