luci-base: dispatcher: reject non-POST requests with any cbi.submit value
authorJo-Philipp Wich <jo@mein.io>
Wed, 4 Apr 2018 22:15:22 +0000 (00:15 +0200)
committerJo-Philipp Wich <jo@mein.io>
Wed, 4 Apr 2018 22:15:22 +0000 (00:15 +0200)
Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while
the dispatcher only required POST for cbi.submit == 1, the CSRF token
protection could be bypassed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
modules/luci-base/luasrc/dispatcher.lua

index 24681368d708a6d184149ba796fb84f58ae55c5c..c93fd78a1bf358765f4206f8491756eca646fec2 100644 (file)
@@ -892,7 +892,7 @@ end
 function cbi(model, config)
        return {
                type = "cbi",
-               post = { ["cbi.submit"] = "1" },
+               post = { ["cbi.submit"] = true },
                config = config,
                model = model,
                target = _cbi
@@ -938,7 +938,7 @@ end
 function form(model)
        return {
                type = "cbi",
-               post = { ["cbi.submit"] = "1" },
+               post = { ["cbi.submit"] = true },
                model = model,
                target = _form
        }