From: Jo-Philipp Wich <jow@openwrt.org>
Date: Tue, 20 Oct 2015 22:09:55 +0000 (+0200)
Subject: luci-app-splash: protect admin status call with csrf token
X-Git-Url: https://git.archive.openwrt.org/?p=project%2Fluci.git;a=commitdiff_plain;h=c1278f967e90352506900d243888cd3ac9caee9f

luci-app-splash: protect admin status call with csrf token

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
---

diff --git a/applications/luci-app-splash/luasrc/controller/splash/splash.lua b/applications/luci-app-splash/luasrc/controller/splash/splash.lua
index 4add43559..13b8edce6 100644
--- a/applications/luci-app-splash/luasrc/controller/splash/splash.lua
+++ b/applications/luci-app-splash/luasrc/controller/splash/splash.lua
@@ -16,7 +16,7 @@ function index()
 	node("splash", "splash").target   = template("splash_splash/splash")
 	node("splash", "blocked").target  = template("splash/blocked")
 
-	entry({"admin", "status", "splash"}, call("action_status_admin"), _("Client-Splash"))
+	entry({"admin", "status", "splash"}, post("action_status_admin"), _("Client-Splash"))
 
 	local page  = node("splash", "publicstatus")
 	page.target = call("action_status_public")
diff --git a/applications/luci-app-splash/luasrc/view/admin_status/splash.htm b/applications/luci-app-splash/luasrc/view/admin_status/splash.htm
index 23982d449..3415c205d 100644
--- a/applications/luci-app-splash/luasrc/view/admin_status/splash.htm
+++ b/applications/luci-app-splash/luasrc/view/admin_status/splash.htm
@@ -214,7 +214,7 @@ end
 	<fieldset id="cbi-table-table" class="cbi-section">
 		<legend><%:Active Clients%></legend>
 		<div class="cbi-section-node">
-			<% if is_admin then %><form action="<%=REQUEST_URI%>" method="post"><% end %>
+			<% if is_admin then %><form action="<%=REQUEST_URI%>" method="post"><input type="hidden" name="token" value="<%=token%>" /><% end %>
 			<table class="cbi-section-table">
 				<thead>
 					<tr class="cbi-section-table-titles">