From e33970f1c60451a063bb2eeb64f9515c64722508 Mon Sep 17 00:00:00 2001
From: Kai Blin <kai@samba.org>
Date: Fri, 8 Jul 2011 15:03:44 +0200
Subject: [PATCH] s3 swat: Add XSRF protection to wizard page

Signed-off-by: Kai Blin <kai@samba.org>
---
 source3/web/swat.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source3/web/swat.c b/source3/web/swat.c
index 1775a950c33..3205386621c 100644
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -761,6 +761,11 @@ static void wizard_page(void)
 	int have_home = -1;
 	int HomeExpo = 0;
 	int SerType = 0;
+	const char form_name[] = "wizard";
+
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
 
 	if (cgi_variable("Rewrite")) {
 		(void) rewritecfg_file();
@@ -852,9 +857,11 @@ static void wizard_page(void)
 
 	role = lp_server_role();
 
+output_page:
 	/* Here we go ... */
 	printf("<H2>%s</H2>\n", _("Samba Configuration Wizard"));
 	printf("<form method=post action=wizard>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
 	if (have_write_access) {
 		printf("%s\n", _("The \"Rewrite smb.conf file\" button will clear the smb.conf file of all default values and of comments."));
-- 
2.11.4.GIT