s3 swat: Add XSRF protection to status page

Signed-off-by: Kai Blin <kai@samba.org> (cherry picked from commit 8af2d4c60a9bad18ef1b37d4034f11c6008efcfa)
author: Kai Blin <kai@samba.org> 2011-07-08 12:58:53 +0200
committer: Karolin Seeger <kseeger@samba.org> 2011-07-26 20:47:50 +0200
commit: 4649eea66824a8096ea8d8faa63b804ba5336227 (patch)
tree: 3bf6ae9b5673c1d2bda04f888ce71ad29ffcaad1
parent: 387ab46cfc6d501fefe6b5fcdf266c0280cbcd95 (diff)
download: samba-4649eea66824a8096ea8d8faa63b804ba5336227.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/source3/web/statuspage.c b/source3/web/statuspage.c
index 7dd1cf55cc0..cb8dbdda4a2 100644
--- a/source3/web/statuspage.c
+++ b/source3/web/statuspage.c
@@ -247,9 +247,14 @@ void status_page(void)
 	int nr_running=0;
 	bool waitup = False;
 	TALLOC_CTX *ctx = talloc_stackframe();
+	const char form_name[] = "status";
 
 	smbd_pid = pid_to_procid(pidfile_pid("smbd"));
 
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
+
 	if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) {
 		stop_smbd();
 		start_smbd();
@@ -326,9 +331,11 @@ void status_page(void)
 
 	initPid2Machine ();
 
+output_page:
 	printf("<H2>%s</H2>\n", _("Server Status"));
 
 	printf("<FORM method=post>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
 	if (!autorefresh) {
 		printf("<input type=submit value=\"%s\" name=\"autorefresh\">\n", _("Auto Refresh"));
author	Kai Blin <kai@samba.org>	2011-07-08 12:58:53 +0200
committer	Karolin Seeger <kseeger@samba.org>	2011-07-26 20:47:50 +0200
commit	4649eea66824a8096ea8d8faa63b804ba5336227 (patch)
tree	3bf6ae9b5673c1d2bda04f888ce71ad29ffcaad1
parent	387ab46cfc6d501fefe6b5fcdf266c0280cbcd95 (diff)
download	samba-4649eea66824a8096ea8d8faa63b804ba5336227.tar.gz