projects / project / luci.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ac34dfa)
luci-app-splash: protect admin status call with csrf token
authorJo-Philipp Wich <jow@openwrt.org>
Tue, 20 Oct 2015 22:09:55 +0000 (00:09 +0200)
committerJo-Philipp Wich <jow@openwrt.org>
Tue, 20 Oct 2015 22:09:55 +0000 (00:09 +0200)
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
applications/luci-app-splash/luasrc/controller/splash/splash.lua patch | blob | history
applications/luci-app-splash/luasrc/view/admin_status/splash.htm patch | blob | history

diff --git a/applications/luci-app-splash/luasrc/controller/splash/splash.lua b/applications/luci-app-splash/luasrc/controller/splash/splash.lua
index 4add435..13b8edc 100644 (file)
--- a/applications/luci-app-splash/luasrc/controller/splash/splash.lua
+++ b/applications/luci-app-splash/luasrc/controller/splash/splash.lua
@@ -16,7 +16,7 @@ function index()
        node("splash", "splash").target   = template("splash_splash/splash")
        node("splash", "blocked").target  = template("splash/blocked")
 
        node("splash", "splash").target   = template("splash_splash/splash")
        node("splash", "blocked").target  = template("splash/blocked")
 
-       entry({"admin", "status", "splash"}, call("action_status_admin"), _("Client-Splash"))
+       entry({"admin", "status", "splash"}, post("action_status_admin"), _("Client-Splash"))
 
        local page  = node("splash", "publicstatus")
        page.target = call("action_status_public")
 
        local page  = node("splash", "publicstatus")
        page.target = call("action_status_public")
diff --git a/applications/luci-app-splash/luasrc/view/admin_status/splash.htm b/applications/luci-app-splash/luasrc/view/admin_status/splash.htm
index 23982d4..3415c20 100644 (file)
--- a/applications/luci-app-splash/luasrc/view/admin_status/splash.htm
+++ b/applications/luci-app-splash/luasrc/view/admin_status/splash.htm
@@ -214,7 +214,7 @@ end
        <fieldset id="cbi-table-table" class="cbi-section">
                <legend><%:Active Clients%></legend>
                <div class="cbi-section-node">
        <fieldset id="cbi-table-table" class="cbi-section">
                <legend><%:Active Clients%></legend>
                <div class="cbi-section-node">
-                       <% if is_admin then %><form action="<%=REQUEST_URI%>" method="post"><% end %>
+                       <% if is_admin then %><form action="<%=REQUEST_URI%>" method="post"><input type="hidden" name="token" value="<%=token%>" /><% end %>
                        <table class="cbi-section-table">
                                <thead>
                                        <tr class="cbi-section-table-titles">
                        <table class="cbi-section-table">
                                <thead>
                                        <tr class="cbi-section-table-titles">
Lua Configuration Interface (mirror)