s3 swat: Add XSRF protection to globals page

author Kai Blin <kai@samba.org>

Fri, 8 Jul 2011 13:04:12 +0000 (15:04 +0200)

committer Karolin Seeger <kseeger@samba.org>

Tue, 26 Jul 2011 18:48:03 +0000 (20:48 +0200)
author Kai Blin <kai@samba.org>
Fri, 8 Jul 2011 13:04:12 +0000 (15:04 +0200)
committer Karolin Seeger <kseeger@samba.org>
Tue, 26 Jul 2011 18:48:03 +0000 (20:48 +0200)
diff --git a/source3/web/swat.c b/source3/web/swat.c

index 88efe8e6754bf235593d9f983dee1a2167bf2316..2c99f57829f2d7110c22445a9ab327959df982f2 100644 (file)
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -921,9 +921,14 @@ static void globals_page(void)
  {
         unsigned int parm_filter = FLAG_BASIC;
         int mode = 0;
+       const char form_name[] = "globals";
  
         printf("<H2>%s</H2>\n", _("Global Parameters"));
  
+       if (!verify_xsrf_token(form_name)) {
+               goto output_page;
+       }
+
         if (cgi_variable("Commit")) {
                 commit_parameters(GLOBAL_SECTION_SNUM);
                 save_reload(0);
@@ -936,7 +941,9 @@ static void globals_page(void)
         if ( cgi_variable("AdvMode"))
                 mode = 1;
  
+output_page:
         printf("<form name=\"swatform\" method=post action=globals>\n");
+       print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
  
         ViewModeBoxes( mode );
         switch ( mode ) {
author	Kai Blin <kai@samba.org>
	Fri, 8 Jul 2011 13:04:12 +0000 (15:04 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Tue, 26 Jul 2011 18:48:03 +0000 (20:48 +0200)