diff options
author | Kai Blin <kai@samba.org> | 2011-07-08 15:03:15 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2011-07-26 20:47:57 +0200 |
commit | b8b08f7083a469a75ac21be52d637f453e652825 (patch) | |
tree | 4b4fe8cb4f4499da2b1c776d138080199ad78d04 /source3 | |
parent | 4c5f175064bcbb8c404cba90f9f08f623275c6de (diff) | |
download | samba-b8b08f7083a469a75ac21be52d637f453e652825.tar.gz |
s3 swat: Add XSRF protection to wizard_params page
Signed-off-by: Kai Blin <kai@samba.org>
(cherry picked from commit 4b64b7e57d729df996d0734444415f12c066b89f)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/web/swat.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/source3/web/swat.c b/source3/web/swat.c index c0917db171c..45a830f4059 100644 --- a/source3/web/swat.c +++ b/source3/web/swat.c @@ -698,18 +698,25 @@ output_page: static void wizard_params_page(void) { unsigned int parm_filter = FLAG_WIZARD; + const char form_name[] = "wizard_params"; /* Here we first set and commit all the parameters that were selected in the previous screen. */ printf("<H2>%s</H2>\n", _("Wizard Parameter Edit Page")); + if (!verify_xsrf_token(form_name)) { + goto output_page; + } + if (cgi_variable("Commit")) { commit_parameters(GLOBAL_SECTION_SNUM); save_reload(0); } +output_page: printf("<form name=\"swatform\" method=post action=wizard_params>\n"); + print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); if (have_write_access) { printf("<input type=submit name=\"Commit\" value=\"Commit Changes\">\n"); |