luci-base: fix CSRF prevention for arcombine targets

The dispatcher failed to propagate the child target post security
requirements to the arcombine() dispatch target so far - fix this
by recursively testing the post security requirements.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit f8c6eb67cd9da09ee20248fec6ab742069635e47)

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 80b715906d5e15688a13321de7bec91f7cec202e..9f9f3d69cc830b149c4a1ba7606892d4b3f0f603 100644 (file)
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -132,7 +132,11 @@ function httpdispatch(request, prefix)
        --context._disable_memtrace()
 end
 
-local function require_post_security(target)
+local function require_post_security(target, args)
+       if type(target) == "table" and target.type == "arcombine" and type(target.targets) == "table" then
+               return require_post_security((type(args) == "table" and #args > 0) and target.targets[2] or target.targets[1], args)
+       end
+
        if type(target) == "table" then
                if type(target.post) == "table" then
                        local param_name, required_val, request_val
@@ -455,7 +459,7 @@ function dispatch(request)
                return
        end
 
-       if c and require_post_security(c.target) then
+       if c and require_post_security(c.target, args) then
                if not test_post_security(c) then
                        return
                end