luci-app-ddns: protect start/stop actions with csrf token
authorJo-Philipp Wich <jow@openwrt.org>
Tue, 20 Oct 2015 21:58:01 +0000 (23:58 +0200)
committerJo-Philipp Wich <jow@openwrt.org>
Tue, 20 Oct 2015 21:58:01 +0000 (23:58 +0200)
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
applications/luci-app-ddns/luasrc/controller/ddns.lua
applications/luci-app-ddns/luasrc/view/ddns/overview_status.htm

index 946dfef..4fbd3c3 100644 (file)
@@ -38,7 +38,7 @@ function index()
                {hideapplybtn=true, hidesavebtn=true, hideresetbtn=true}), nil ).leaf = true
        entry( {"admin", "services", "ddns", "global"}, cbi("ddns/global"), nil ).leaf = true
        entry( {"admin", "services", "ddns", "logview"}, call("logread") ).leaf = true
                {hideapplybtn=true, hidesavebtn=true, hideresetbtn=true}), nil ).leaf = true
        entry( {"admin", "services", "ddns", "global"}, cbi("ddns/global"), nil ).leaf = true
        entry( {"admin", "services", "ddns", "logview"}, call("logread") ).leaf = true
-       entry( {"admin", "services", "ddns", "startstop"}, call("startstop") ).leaf = true
+       entry( {"admin", "services", "ddns", "startstop"}, post("startstop") ).leaf = true
        entry( {"admin", "services", "ddns", "status"}, call("status") ).leaf = true
 end
 
        entry( {"admin", "services", "ddns", "status"}, call("status") ).leaf = true
 end
 
index 5464812..b6d4ebb 100644 (file)
 
                // do start/stop
                var btnXHR = new XHR();
 
                // do start/stop
                var btnXHR = new XHR();
-               btnXHR.get('<%=url('admin/services/ddns/startstop')%>/' + section + '/' + cbx.checked, null,
+               btnXHR.post('<%=url('admin/services/ddns/startstop')%>/' + section + '/' + cbx.checked, { token: '<%=token%>' },
                        function(x, data) {
                                if (x.responseText == "_uncommitted_") {
                                        // we need a trick to display Ampersand "&" in stead of "&#38;" or "&amp;"
                        function(x, data) {
                                if (x.responseText == "_uncommitted_") {
                                        // we need a trick to display Ampersand "&" in stead of "&#38;" or "&amp;"