s3 swat: Add XSRF protection to wizard_params page

author Kai Blin <kai@samba.org>

Fri, 8 Jul 2011 13:03:15 +0000 (15:03 +0200)

committer Karolin Seeger <kseeger@samba.org>

Sun, 24 Jul 2011 18:45:41 +0000 (20:45 +0200)
author Kai Blin <kai@samba.org>
Fri, 8 Jul 2011 13:03:15 +0000 (15:03 +0200)
committer Karolin Seeger <kseeger@samba.org>
Sun, 24 Jul 2011 18:45:41 +0000 (20:45 +0200)
diff --git a/source/web/swat.c b/source/web/swat.c

index 647126fc280fce739aa31b69df6fa8509ebd756f..b7eec4a88aa262858a4e5585b34237b4cef5970d 100644 (file)
--- a/source/web/swat.c
+++ b/source/web/swat.c
@@ -697,18 +697,25 @@ output_page:
  static void wizard_params_page(void)
  {
         unsigned int parm_filter = FLAG_WIZARD;
+       const char form_name[] = "wizard_params";
  
         /* Here we first set and commit all the parameters that were selected
            in the previous screen. */
  
         printf("<H2>%s</H2>\n", _("Wizard Parameter Edit Page"));
  
+       if (!verify_xsrf_token(form_name)) {
+               goto output_page;
+       }
+
         if (cgi_variable("Commit")) {
                 commit_parameters(GLOBAL_SECTION_SNUM);
                 save_reload(0);
         }
  
+output_page:
         printf("<form name=\"swatform\" method=post action=wizard_params>\n");
+       print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
  
         if (have_write_access) {
                 printf("<input type=submit name=\"Commit\" value=\"Commit Changes\">\n");
author	Kai Blin <kai@samba.org>
	Fri, 8 Jul 2011 13:03:15 +0000 (15:03 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Sun, 24 Jul 2011 18:45:41 +0000 (20:45 +0200)