From a887d8446bc74b255682a4047cb5616fe236bcaf Mon Sep 17 00:00:00 2001
From: Kai Blin <kai@samba.org>
Date: Fri, 8 Jul 2011 15:03:15 +0200
Subject: [PATCH] s3 swat: Add XSRF protection to wizard_params page

Signed-off-by: Kai Blin <kai@samba.org>
---
 source3/web/swat.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source3/web/swat.c b/source3/web/swat.c
index 66c372c45d0..1775a950c33 100644
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -707,18 +707,25 @@ output_page:
 static void wizard_params_page(void)
 {
 	unsigned int parm_filter = FLAG_WIZARD;
+	const char form_name[] = "wizard_params";
 
 	/* Here we first set and commit all the parameters that were selected
  	   in the previous screen. */
 
 	printf("<H2>%s</H2>\n", _("Wizard Parameter Edit Page"));
 
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
+
 	if (cgi_variable("Commit")) {
 		commit_parameters(GLOBAL_SECTION_SNUM);
 		save_reload(-1);
 	}
 
+output_page:
 	printf("<form name=\"swatform\" method=post action=wizard_params>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
 	if (have_write_access) {
 		printf("<input type=submit name=\"Commit\" value=\"Commit Changes\">\n");
-- 
2.11.4.GIT