s3 swat: Add XSRF protection to status page

author Kai Blin <kai@samba.org>

Fri, 8 Jul 2011 10:58:53 +0000 (12:58 +0200)

committer Karolin Seeger <kseeger@samba.org>

Sun, 24 Jul 2011 19:27:13 +0000 (21:27 +0200)
author Kai Blin <kai@samba.org>
Fri, 8 Jul 2011 10:58:53 +0000 (12:58 +0200)
committer Karolin Seeger <kseeger@samba.org>
Sun, 24 Jul 2011 19:27:13 +0000 (21:27 +0200)
diff --git a/source3/web/statuspage.c b/source3/web/statuspage.c

index 7dd1cf55cc0729ce7fe733c86223d983a23721ad..cb8dbdda4a274271fbcd8f1e80bcf27723f3828d 100644 (file)
--- a/source3/web/statuspage.c
+++ b/source3/web/statuspage.c
@@ -247,9 +247,14 @@ void status_page(void)
         int nr_running=0;
         bool waitup = False;
         TALLOC_CTX *ctx = talloc_stackframe();
+       const char form_name[] = "status";
  
         smbd_pid = pid_to_procid(pidfile_pid("smbd"));
  
+       if (!verify_xsrf_token(form_name)) {
+               goto output_page;
+       }
+
         if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) {
                 stop_smbd();
                 start_smbd();
@@ -326,9 +331,11 @@ void status_page(void)
  
         initPid2Machine ();
  
+output_page:
         printf("<H2>%s</H2>\n", _("Server Status"));
  
         printf("<FORM method=post>\n");
+       print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
  
         if (!autorefresh) {
                 printf("<input type=submit value=\"%s\" name=\"autorefresh\">\n", _("Auto Refresh"));
author	Kai Blin <kai@samba.org>
	Fri, 8 Jul 2011 10:58:53 +0000 (12:58 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Sun, 24 Jul 2011 19:27:13 +0000 (21:27 +0200)