s3 swat: Add XSRF protection to wizard page

author Kai Blin <kai@samba.org>

Fri, 8 Jul 2011 13:03:44 +0000 (15:03 +0200)

committer Karolin Seeger <kseeger@samba.org>

Sun, 24 Jul 2011 18:45:43 +0000 (20:45 +0200)
author Kai Blin <kai@samba.org>
Fri, 8 Jul 2011 13:03:44 +0000 (15:03 +0200)
committer Karolin Seeger <kseeger@samba.org>
Sun, 24 Jul 2011 18:45:43 +0000 (20:45 +0200)
diff --git a/source/web/swat.c b/source/web/swat.c

index b7eec4a88aa262858a4e5585b34237b4cef5970d..b6e0c0f9d8a42137a5af8d73d3ba9587f3966dfa 100644 (file)
--- a/source/web/swat.c
+++ b/source/web/swat.c
@@ -751,6 +751,11 @@ static void wizard_page(void)
         int have_home = -1;
         int HomeExpo = 0;
         int SerType = 0;
+       const char form_name[] = "wizard";
+
+       if (!verify_xsrf_token(form_name)) {
+               goto output_page;
+       }
  
         if (cgi_variable("Rewrite")) {
                 (void) rewritecfg_file();
@@ -841,10 +846,12 @@ static void wizard_page(void)
                 winstype = 3;
  
         role = lp_server_role();
-       
+
+output_page:
         /* Here we go ... */
         printf("<H2>%s</H2>\n", _("Samba Configuration Wizard"));
         printf("<form method=post action=wizard>\n");
+       print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
  
         if (have_write_access) {
                 printf("%s\n", _("The \"Rewrite smb.conf file\" button will clear the smb.conf file of all default values and of comments."));
author	Kai Blin <kai@samba.org>
	Fri, 8 Jul 2011 13:03:44 +0000 (15:03 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Sun, 24 Jul 2011 18:45:43 +0000 (20:45 +0200)