From 186e690c08a8766aecf9a0ffc60b4475e366d723 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Thu, 5 Apr 2018 00:15:22 +0200 Subject: [PATCH] luci-base: dispatcher: reject non-POST requests with any cbi.submit value Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while the dispatcher only required POST for cbi.submit == 1, the CSRF token protection could be bypassed. Signed-off-by: Jo-Philipp Wich --- modules/luci-base/luasrc/dispatcher.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index 24681368d..c93fd78a1 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -892,7 +892,7 @@ end function cbi(model, config) return { type = "cbi", - post = { ["cbi.submit"] = "1" }, + post = { ["cbi.submit"] = true }, config = config, model = model, target = _cbi @@ -938,7 +938,7 @@ end function form(model) return { type = "cbi", - post = { ["cbi.submit"] = "1" }, + post = { ["cbi.submit"] = true }, model = model, target = _form } -- 2.25.1