Skip to content
Permalink
Browse files Browse the repository at this point in the history
luci-base: fix CSRF prevention for arcombine targets
The dispatcher failed to propagate the child target post security
requirements to the arcombine() dispatch target so far - fix this
by recursively testing the post security requirements.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
  • Loading branch information
jow- committed Oct 9, 2019
1 parent 6d70b30 commit f8c6eb6
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions modules/luci-base/luasrc/dispatcher.lua
Expand Up @@ -149,7 +149,11 @@ function httpdispatch(request, prefix)
--context._disable_memtrace()
end

local function require_post_security(target)
local function require_post_security(target, args)
if type(target) == "table" and target.type == "arcombine" and type(target.targets) == "table" then
return require_post_security((type(args) == "table" and #args > 0) and target.targets[2] or target.targets[1], args)
end

if type(target) == "table" then
if type(target.post) == "table" then
local param_name, required_val, request_val
Expand Down Expand Up @@ -470,7 +474,7 @@ function dispatch(request)
return
end

if c and require_post_security(c.target) then
if c and require_post_security(c.target, args) then
if not test_post_security(c) then
return
end
Expand Down

0 comments on commit f8c6eb6

Please sign in to comment.