s3 swat: Add XSRF protection to viewconfig page

author Kai Blin <kai@samba.org>

Fri, 8 Jul 2011 13:02:53 +0000 (15:02 +0200)

committer Karolin Seeger <kseeger@samba.org>

Tue, 26 Jul 2011 18:47:54 +0000 (20:47 +0200)
author Kai Blin <kai@samba.org>
Fri, 8 Jul 2011 13:02:53 +0000 (15:02 +0200)
committer Karolin Seeger <kseeger@samba.org>
Tue, 26 Jul 2011 18:47:54 +0000 (20:47 +0200)
diff --git a/source3/web/swat.c b/source3/web/swat.c

index 95837b4ea5e8fae9fa4ba9c06df4eff75e4e2400..c0917db171c70f99b9878c9bfaa79a7028b11284 100644 (file)
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -665,13 +665,20 @@ static void welcome_page(void)
  static void viewconfig_page(void)
  {
         int full_view=0;
+       const char form_name[] = "viewconfig";
+
+       if (!verify_xsrf_token(form_name)) {
+               goto output_page;
+       }
  
         if (cgi_variable("full_view")) {
                 full_view = 1;
         }
  
+output_page:
         printf("<H2>%s</H2>\n", _("Current Config"));
         printf("<form method=post>\n");
+       print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
  
         if (full_view) {
                 printf("<input type=submit name=\"normal_view\" value=\"%s\">\n", _("Normal View"));
author	Kai Blin <kai@samba.org>
	Fri, 8 Jul 2011 13:02:53 +0000 (15:02 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Tue, 26 Jul 2011 18:47:54 +0000 (20:47 +0200)