Skip to content

Commit f91fbe3

Browse files
committed
Check for presence of crsf in admin scripts
1 parent c400754 commit f91fbe3

File tree

1 file changed

+13
-3
lines changed

1 file changed

+13
-3
lines changed

Diff for: src/Lua.cpp

+13-3
Original file line numberDiff line numberDiff line change
@@ -5680,7 +5680,8 @@ int Lua::handle_script_request(struct mg_connection *conn,
56805680
char *_cookies, user[64] = { '\0' }, outbuf[FILENAME_MAX];
56815681
AddressTree ptree;
56825682
int rc;
5683-
5683+
bool csrf_found = false;
5684+
56845685
if(!L) return(-1);
56855686

56865687
luaL_openlibs(L); /* Load base libraries */
@@ -5693,11 +5694,11 @@ int Lua::handle_script_request(struct mg_connection *conn,
56935694
lua_newtable(L);
56945695
if(request_info->query_string != NULL) {
56955696
char *query_string = strdup(request_info->query_string);
5696-
5697+
56975698
if(query_string) {
56985699
char *where;
56995700
char *tok;
5700-
5701+
57015702
// ntop->getTrace()->traceEvent(TRACE_WARNING, "[HTTP] %s", query_string);
57025703

57035704
tok = strtok_r(query_string, "&", &where);
@@ -5759,6 +5760,8 @@ int Lua::handle_script_request(struct mg_connection *conn,
57595760
msg, PAGE_ERROR, query_string, msg));
57605761
} else
57615762
ntop->getRedis()->delKey(decoded_buf);
5763+
5764+
csrf_found = true;
57625765
}
57635766

57645767
lua_push_str_table_entry(L, tok, decoded_buf);
@@ -5777,6 +5780,13 @@ int Lua::handle_script_request(struct mg_connection *conn,
57775780
} else
57785781
ntop->getTrace()->traceEvent(TRACE_WARNING, "Not enough memory");
57795782
}
5783+
5784+
if(strstr(request_info->uri, "/admin/") && (!csrf_found)) {
5785+
const char *msg = "Missing CSRF parameter";
5786+
5787+
return(send_error(conn, 500 /* Internal server error */, msg, PAGE_ERROR, request_info->uri, msg));
5788+
}
5789+
57805790
lua_setglobal(L, "_GET"); /* Like in php */
57815791

57825792
/* _SERVER */

0 commit comments

Comments
 (0)