s3 swat: Add XSRF protection to viewconfig page

Signed-off-by: Kai Blin <kai@samba.org> (cherry picked from commit b25d00e3c1ff91e7ec5f56ec2ad0d6b3d635d1e3)
author: Kai Blin <kai@samba.org> 2011-07-08 15:02:53 +0200
committer: Karolin Seeger <kseeger@samba.org> 2011-07-26 20:47:54 +0200
commit: 4c5f175064bcbb8c404cba90f9f08f623275c6de (patch)
tree: c22a4da8e0e66fbd19e1d19f63cff9185e23bd7d
parent: 4649eea66824a8096ea8d8faa63b804ba5336227 (diff)
download: samba-4c5f175064bcbb8c404cba90f9f08f623275c6de.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/source3/web/swat.c b/source3/web/swat.c
index 95837b4ea5e..c0917db171c 100644
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -665,13 +665,20 @@ static void welcome_page(void)
 static void viewconfig_page(void)
 {
 	int full_view=0;
+	const char form_name[] = "viewconfig";
+
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
 
 	if (cgi_variable("full_view")) {
 		full_view = 1;
 	}
 
+output_page:
 	printf("<H2>%s</H2>\n", _("Current Config"));
 	printf("<form method=post>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
 	if (full_view) {
 		printf("<input type=submit name=\"normal_view\" value=\"%s\">\n", _("Normal View"));
author	Kai Blin <kai@samba.org>	2011-07-08 15:02:53 +0200
committer	Karolin Seeger <kseeger@samba.org>	2011-07-26 20:47:54 +0200
commit	4c5f175064bcbb8c404cba90f9f08f623275c6de (patch)
tree	c22a4da8e0e66fbd19e1d19f63cff9185e23bd7d
parent	4649eea66824a8096ea8d8faa63b804ba5336227 (diff)
download	samba-4c5f175064bcbb8c404cba90f9f08f623275c6de.tar.gz