From 3f38cf42facc38c19e0448cbae3078b9606b08e4 Mon Sep 17 00:00:00 2001
From: Kai Blin <kai@samba.org>
Date: Fri, 8 Jul 2011 12:58:53 +0200
Subject: s3 swat: Add XSRF protection to status page

Signed-off-by: Kai Blin <kai@samba.org>
---
 source/web/statuspage.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source/web/statuspage.c b/source/web/statuspage.c
index 8070ae7e79d..fe545e4a281 100644
--- a/source/web/statuspage.c
+++ b/source/web/statuspage.c
@@ -247,9 +247,14 @@ void status_page(void)
 	int nr_running=0;
 	bool waitup = False;
 	TALLOC_CTX *ctx = talloc_stackframe();
+	const char form_name[] = "status";
 
 	smbd_pid = pid_to_procid(pidfile_pid("smbd"));
 
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
+
 	if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) {
 		stop_smbd();
 		start_smbd();
@@ -326,9 +331,11 @@ void status_page(void)
 
 	initPid2Machine ();
 
+output_page:
 	printf("<H2>%s</H2>\n", _("Server Status"));
 
 	printf("<FORM method=post>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
 	if (!autorefresh) {
 		printf("<input type=submit value=\"%s\" name=\"autorefresh\">\n", _("Auto Refresh"));
-- 
cgit