s3 swat: Add XSRF protection to globals page

Signed-off-by: Kai Blin <kai@samba.org>

diff --git a/source3/web/swat.c b/source3/web/swat.c
index ac182dd70767f90ee05437ec96beaeb66eb3c40a..7ce6893af19464a3c629af1fc7e7283c4fe714ae 100644 (file)
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -934,9 +934,14 @@ static void globals_page(void)
 {
        unsigned int parm_filter = FLAG_BASIC;
        int mode = 0;
+       const char form_name[] = "globals";
 
        printf("<H2>%s</H2>\n", _("Global Parameters"));
 
+       if (!verify_xsrf_token(form_name)) {
+               goto output_page;
+       }
+
        if (cgi_variable("Commit")) {
                commit_parameters(GLOBAL_SECTION_SNUM);
                save_reload(-1);
@@ -949,7 +954,9 @@ static void globals_page(void)
        if ( cgi_variable("AdvMode"))
                mode = 1;
 
+output_page:
        printf("<form name=\"swatform\" method=post action=globals>\n");
+       print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
        ViewModeBoxes( mode );
        switch ( mode ) {