swat: Use additional nonce on XSRF protection

[samba.git] / source3 / web / swat.c

diff --git a/source3/web/swat.c b/source3/web/swat.c
index d2bbee40c342abba0e15d464f0bb5cfeeee222a8..25a041f621ebb741267a55f781f03074c6400418 100644 (file)
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -148,6 +148,7 @@ void get_xsrf_token(const char *username, const char *pass,
        struct MD5Context md5_ctx;
        uint8_t token[16];
        int i;
+       char *nonce = cgi_nonce();
 
        token_str[0] = '\0';
        ZERO_STRUCT(md5_ctx);
@@ -161,6 +162,7 @@ void get_xsrf_token(const char *username, const char *pass,
        if (pass != NULL) {
                MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
        }
+       MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce));
 
        MD5Final(token, &md5_ctx);