From 4649eea66824a8096ea8d8faa63b804ba5336227 Mon Sep 17 00:00:00 2001
From: Kai Blin <kai@samba.org>
Date: Fri, 8 Jul 2011 12:58:53 +0200
Subject: s3 swat: Add XSRF protection to status page

Signed-off-by: Kai Blin <kai@samba.org>
(cherry picked from commit 8af2d4c60a9bad18ef1b37d4034f11c6008efcfa)
---
 source3/web/statuspage.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source3/web/statuspage.c b/source3/web/statuspage.c
index 7dd1cf55cc0..cb8dbdda4a2 100644
--- a/source3/web/statuspage.c
+++ b/source3/web/statuspage.c
@@ -247,9 +247,14 @@ void status_page(void)
 	int nr_running=0;
 	bool waitup = False;
 	TALLOC_CTX *ctx = talloc_stackframe();
+	const char form_name[] = "status";
 
 	smbd_pid = pid_to_procid(pidfile_pid("smbd"));
 
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
+
 	if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) {
 		stop_smbd();
 		start_smbd();
@@ -326,9 +331,11 @@ void status_page(void)
 
 	initPid2Machine ();
 
+output_page:
 	printf("<H2>%s</H2>\n", _("Server Status"));
 
 	printf("<FORM method=post>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
 	if (!autorefresh) {
 		printf("<input type=submit value=\"%s\" name=\"autorefresh\">\n", _("Auto Refresh"));
-- 
cgit v1.2.1