From 15ed2a0eedb530fbfd244ed6c0121db18102860f Mon Sep 17 00:00:00 2001
From: Kai Blin <kai@samba.org>
Date: Fri, 8 Jul 2011 12:58:53 +0200
Subject: s3 swat: Add XSRF protection to status page

Signed-off-by: Kai Blin <kai@samba.org>
---
 source3/web/statuspage.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'source3/web')

diff --git a/source3/web/statuspage.c b/source3/web/statuspage.c
index 02f5ca78e9..5314f33432 100644
--- a/source3/web/statuspage.c
+++ b/source3/web/statuspage.c
@@ -249,9 +249,14 @@ void status_page(void)
 	int nr_running=0;
 	bool waitup = False;
 	TALLOC_CTX *ctx = talloc_stackframe();
+	const char form_name[] = "status";
 
 	smbd_pid = pid_to_procid(pidfile_pid("smbd"));
 
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
+
 	if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) {
 		stop_smbd();
 		start_smbd();
@@ -328,9 +333,11 @@ void status_page(void)
 
 	initPid2Machine ();
 
+output_page:
 	printf("<H2>%s</H2>\n", _("Server Status"));
 
 	printf("<FORM method=post>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
 	if (!autorefresh) {
 		printf("<input type=submit value=\"%s\" name=\"autorefresh\">\n", _("Auto Refresh"));
-- 
cgit