← Back to branch summary

~ubuntu-branches/ubuntu/lucid/samba/lucid-security

« back to all changes in this revision

Viewing changes to source3/web/statuspage.c

  • Committer: Bazaar Package Importer
  • Author(s): Marc Deslauriers
  • Date: 2011-07-28 09:39:38 UTC
  • mfrom: (102.1.4 lucid-proposed)
  • Revision ID: james.westby@ubuntu.com-20110728093938-1crrj6yjze4h7zkb
Tags: 2:3.4.7~dfsg-1ubuntu3.7
* SECURITY UPDATE: cross-site scripting in SWAT
  - debian/patches/CVE-2011-2694.patch: don't display username in
    source3/web/swat.c.
  - CVE-2011-2694
* SECURITY UPDATE: cross-site request forgery in SWAT
  - debian/patches/CVE-2011-2522.patch: implement nonce in
    source3/web/{cgi.c,statuspage.c,swat.c,swat_proto.h}.
  - CVE-2011-2522

Show diffs side-by-side

added added

removed removed

Lines of Context:
source3/web/statuspage.c
247
247
        int nr_running=0;
248
248
        bool waitup = False;
249
249
        TALLOC_CTX *ctx = talloc_stackframe();
 
250
        const char form_name[] = "status";
250
251
 
251
252
        smbd_pid = pid_to_procid(pidfile_pid("smbd"));
252
253
 
 
254
        if (!verify_xsrf_token(form_name)) {
 
255
                goto output_page;
 
256
        }
 
257
 
253
258
        if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) {
254
259
                stop_smbd();
255
260
                start_smbd();
326
331
 
327
332
        initPid2Machine ();
328
333
 
 
334
output_page:
329
335
        printf("<H2>%s</H2>\n", _("Server Status"));
330
336
 
331
337
        printf("<FORM method=post>\n");
 
338
        print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
332
339
 
333
340
        if (!autorefresh) {
334
341
                printf("<input type=submit value=\"%s\" name=\"autorefresh\">\n", _("Auto Refresh"));