@@ -5680,7 +5680,8 @@ int Lua::handle_script_request(struct mg_connection *conn,
56805680 char *_cookies, user[64 ] = { ' \0 ' }, outbuf[FILENAME_MAX];
56815681 AddressTree ptree;
56825682 int rc;
5683-
5683+ bool csrf_found = false ;
5684+
56845685 if (!L) return (-1 );
56855686
56865687 luaL_openlibs (L); /* Load base libraries */
@@ -5693,11 +5694,11 @@ int Lua::handle_script_request(struct mg_connection *conn,
56935694 lua_newtable (L);
56945695 if (request_info->query_string != NULL ) {
56955696 char *query_string = strdup (request_info->query_string );
5696-
5697+
56975698 if (query_string) {
56985699 char *where;
56995700 char *tok;
5700-
5701+
57015702 // ntop->getTrace()->traceEvent(TRACE_WARNING, "[HTTP] %s", query_string);
57025703
57035704 tok = strtok_r (query_string, " &" , &where);
@@ -5759,6 +5760,8 @@ int Lua::handle_script_request(struct mg_connection *conn,
57595760 msg, PAGE_ERROR, query_string, msg));
57605761 } else
57615762 ntop->getRedis ()->delKey (decoded_buf);
5763+
5764+ csrf_found = true ;
57625765 }
57635766
57645767 lua_push_str_table_entry (L, tok, decoded_buf);
@@ -5777,6 +5780,13 @@ int Lua::handle_script_request(struct mg_connection *conn,
57775780 } else
57785781 ntop->getTrace ()->traceEvent (TRACE_WARNING, " Not enough memory" );
57795782 }
5783+
5784+ if (strstr (request_info->uri , " /admin/" ) && (!csrf_found)) {
5785+ const char *msg = " Missing CSRF parameter" ;
5786+
5787+ return (send_error (conn, 500 /* Internal server error */ , msg, PAGE_ERROR, request_info->uri , msg));
5788+ }
5789+
57805790 lua_setglobal (L, " _GET" ); /* Like in php */
57815791
57825792 /* _SERVER */
0 commit comments