From 68f8924c7c9157e4a324c77695fbf0e07635fb32 Mon Sep 17 00:00:00 2001
From: Kai Blin <kai@samba.org>
Date: Fri, 8 Jul 2011 15:04:12 +0200
Subject: s3 swat: Add XSRF protection to globals page

Signed-off-by: Kai Blin <kai@samba.org>
---
 source3/web/swat.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'source3/web')

diff --git a/source3/web/swat.c b/source3/web/swat.c
index ac182dd707..7ce6893af1 100644
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -934,9 +934,14 @@ static void globals_page(void)
 {
 	unsigned int parm_filter = FLAG_BASIC;
 	int mode = 0;
+	const char form_name[] = "globals";
 
 	printf("<H2>%s</H2>\n", _("Global Parameters"));
 
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
+
 	if (cgi_variable("Commit")) {
 		commit_parameters(GLOBAL_SECTION_SNUM);
 		save_reload(-1);
@@ -949,7 +954,9 @@ static void globals_page(void)
 	if ( cgi_variable("AdvMode"))
 		mode = 1;
 
+output_page:
 	printf("<form name=\"swatform\" method=post action=globals>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
 	ViewModeBoxes( mode );
 	switch ( mode ) {
-- 
cgit