From ab98edd79dd98c989812ea9eab0418cfcb6bfc86 Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Fri, 8 Jul 2011 15:03:15 +0200 Subject: s3 swat: Add XSRF protection to wizard_params page Signed-off-by: Kai Blin --- source3/web/swat.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source3/web') diff --git a/source3/web/swat.c b/source3/web/swat.c index 9366145700..cdbbcb479b 100644 --- a/source3/web/swat.c +++ b/source3/web/swat.c @@ -711,18 +711,25 @@ output_page: static void wizard_params_page(void) { unsigned int parm_filter = FLAG_WIZARD; + const char form_name[] = "wizard_params"; /* Here we first set and commit all the parameters that were selected in the previous screen. */ printf("

%s

\n", _("Wizard Parameter Edit Page")); + if (!verify_xsrf_token(form_name)) { + goto output_page; + } + if (cgi_variable("Commit")) { commit_parameters(GLOBAL_SECTION_SNUM); save_reload(-1); } +output_page: printf("
\n"); + print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); if (have_write_access) { printf("\n"); -- cgit