From dc3aa10bbc5936aebab88db2ea34b46648839745 Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Fri, 8 Jul 2011 15:04:12 +0200 Subject: [PATCH] s3 swat: Add XSRF protection to globals page Signed-off-by: Kai Blin --- source3/web/swat.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/source3/web/swat.c b/source3/web/swat.c index 3205386621c..7e7addc13a3 100644 --- a/source3/web/swat.c +++ b/source3/web/swat.c @@ -930,9 +930,14 @@ static void globals_page(void) { unsigned int parm_filter = FLAG_BASIC; int mode = 0; + const char form_name[] = "globals"; printf("

%s

\n", _("Global Parameters")); + if (!verify_xsrf_token(form_name)) { + goto output_page; + } + if (cgi_variable("Commit")) { commit_parameters(GLOBAL_SECTION_SNUM); save_reload(-1); @@ -945,7 +950,9 @@ static void globals_page(void) if ( cgi_variable("AdvMode")) mode = 1; +output_page: printf("
\n"); + print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); ViewModeBoxes( mode ); switch ( mode ) { -- 2.11.4.GIT