s3 swat: Add XSRF protection to viewconfig page

Signed-off-by: Kai Blin <kai@samba.org>

diff --git a/source3/web/swat.c b/source3/web/swat.c
index 9dfbfe1be0887d7d01c4a91cc3db188d29b1c5da..430c76ed6ad0b1ac51f393d2f1aa40e16b13cfc2 100644 (file)
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -665,13 +665,20 @@ static void welcome_page(void)
 static void viewconfig_page(void)
 {
        int full_view=0;
+       const char form_name[] = "viewconfig";
+
+       if (!verify_xsrf_token(form_name)) {
+               goto output_page;
+       }
 
        if (cgi_variable("full_view")) {
                full_view = 1;
        }
 
+output_page:
        printf("<H2>%s</H2>\n", _("Current Config"));
        printf("<form method=post>\n");
+       print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
        if (full_view) {
                printf("<input type=submit name=\"normal_view\" value=\"%s\">\n", _("Normal View"));