From 15ed2a0eedb530fbfd244ed6c0121db18102860f Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Fri, 8 Jul 2011 12:58:53 +0200 Subject: s3 swat: Add XSRF protection to status page Signed-off-by: Kai Blin --- source3/web/statuspage.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source3/web') diff --git a/source3/web/statuspage.c b/source3/web/statuspage.c index 02f5ca78e9..5314f33432 100644 --- a/source3/web/statuspage.c +++ b/source3/web/statuspage.c @@ -249,9 +249,14 @@ void status_page(void) int nr_running=0; bool waitup = False; TALLOC_CTX *ctx = talloc_stackframe(); + const char form_name[] = "status"; smbd_pid = pid_to_procid(pidfile_pid("smbd")); + if (!verify_xsrf_token(form_name)) { + goto output_page; + } + if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) { stop_smbd(); start_smbd(); @@ -328,9 +333,11 @@ void status_page(void) initPid2Machine (); +output_page: printf("

%s

\n", _("Server Status")); printf("
\n"); + print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); if (!autorefresh) { printf("\n", _("Auto Refresh")); -- cgit