s3 swat: Add XSRF protection to wizard_params page

Signed-off-by: Kai Blin <kai@samba.org> (cherry picked from commit 4b64b7e57d729df996d0734444415f12c066b89f)
author: Kai Blin <kai@samba.org> 2011-07-08 15:03:15 +0200
committer: Karolin Seeger <kseeger@samba.org> 2011-07-26 20:47:57 +0200
commit: b8b08f7083a469a75ac21be52d637f453e652825 (patch)
tree: 4b4fe8cb4f4499da2b1c776d138080199ad78d04
parent: 4c5f175064bcbb8c404cba90f9f08f623275c6de (diff)
download: samba-b8b08f7083a469a75ac21be52d637f453e652825.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/source3/web/swat.c b/source3/web/swat.c
index c0917db171c..45a830f4059 100644
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -698,18 +698,25 @@ output_page:
 static void wizard_params_page(void)
 {
 	unsigned int parm_filter = FLAG_WIZARD;
+	const char form_name[] = "wizard_params";
 
 	/* Here we first set and commit all the parameters that were selected
  	   in the previous screen. */
 
 	printf("<H2>%s</H2>\n", _("Wizard Parameter Edit Page"));
 
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
+
 	if (cgi_variable("Commit")) {
 		commit_parameters(GLOBAL_SECTION_SNUM);
 		save_reload(0);
 	}
 
+output_page:
 	printf("<form name=\"swatform\" method=post action=wizard_params>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
 	if (have_write_access) {
 		printf("<input type=submit name=\"Commit\" value=\"Commit Changes\">\n");
author	Kai Blin <kai@samba.org>	2011-07-08 15:03:15 +0200
committer	Karolin Seeger <kseeger@samba.org>	2011-07-26 20:47:57 +0200
commit	b8b08f7083a469a75ac21be52d637f453e652825 (patch)
tree	4b4fe8cb4f4499da2b1c776d138080199ad78d04
parent	4c5f175064bcbb8c404cba90f9f08f623275c6de (diff)
download	samba-b8b08f7083a469a75ac21be52d637f453e652825.tar.gz