luci-base: protect simpleforms with CSRF tokens

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index a402d023b352d38157756e5f2d6fa6a87816a8ee..28dfd18bbef57ab45d89157b3c8ffc64ea9b32a4 100644 (file)
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -869,6 +869,15 @@ local function _form(self, ...)
        local cbi = require "luci.cbi"
        local tpl = require "luci.template"
        local http = require "luci.http"
+       local disp = require "luci.dispatcher"
+
+       if http.formvalue("cbi.submit") == "1" and
+          http.formvalue("token") ~= disp.context.urltoken.stok
+       then
+               http.status(403, "Forbidden")
+               luci.template.render("csrftoken")
+               return
+       end
 
        local maps = luci.cbi.load(self.model, ...)
        local state = nil

diff --git a/modules/luci-base/luasrc/view/cbi/simpleform.htm b/modules/luci-base/luasrc/view/cbi/simpleform.htm
index 437a07a8bdbcc250517a841c9051c2a92195ec3f..78f5c5a544b440c39b05eae7a452d77bd797aaea 100644 (file)
--- a/modules/luci-base/luasrc/view/cbi/simpleform.htm
+++ b/modules/luci-base/luasrc/view/cbi/simpleform.htm
@@ -2,6 +2,7 @@
 <form method="post" enctype="multipart/form-data" action="<%=REQUEST_URI%>">
        <div>
                <script type="text/javascript" src="<%=resource%>/cbi.js"></script>
+               <input type="hidden" name="token" value="<%=token%>" />
                <input type="hidden" name="cbi.submit" value="1" />
        </div>
 <% end %>