[SCM] Samba Shared Repository - branch v3-4-test updated

Karolin Seeger kseeger at samba.org
Tue Jul 26 12:49:31 MDT 2011


The branch, v3-4-test has been updated
       via  6165a76 WHATSNEW: Start release notes for 3.4.15.
       via  93e3c3c VERSION: Bump version up to 3.4.15.
       via  5041779 s3-swat: Fix typo.
       via  57501db s3 swat: Create random nonce in CGI mode
       via  3136459 s3 swat: Add time component to XSRF token
       via  e4fe62f s3 swat: Add XSRF protection to printer page
       via  78bee10 s3 swat: Add XSRF protection to password page
       via  68c94f8 s3 swat: Add XSRF protection to shares page
       via  ac070b0 s3 swat: Add XSRF protection to globals page
       via  b7af3ce s3 swat: Add XSRF protection to wizard page
       via  b8b08f7 s3 swat: Add XSRF protection to wizard_params page
       via  4c5f175 s3 swat: Add XSRF protection to viewconfig page
       via  4649eea s3 swat: Add XSRF protection to status page
       via  387ab46 s3 swat: Add support for anti-XSRF token
       via  2c46845 s3 swat: Allow getting the user's HTTP auth password
       via  de91a83 s3 swat: Fix possible XSS attack (bug #8289)
      from  11b4dec s3:nmbd_packets: return the used number of sockets in create_listen_fdset() (bug #8276)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-test


- Log -----------------------------------------------------------------
commit 6165a7684320b83089b4cbdbd41b9f8dd43e2a45
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Jul 26 20:35:15 2011 +0200

    WHATSNEW: Start release notes for 3.4.15.
    
    Karolin
    (cherry picked from commit 999514b140c5f85497109da558d5e8630d59b57e)

commit 93e3c3ce0985f40ff68d6a44ddfa314515760b3f
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Jul 26 20:32:21 2011 +0200

    VERSION: Bump version up to 3.4.15.
    
    Karolin
    (cherry picked from commit eff1c775066938267c44ab0bd25de99363c1d569)

commit 5041779ab2a504ded448df5c80aafcd76625baa4
Author: Karolin Seeger <kseeger at samba.org>
Date:   Sun Jul 24 21:09:38 2011 +0200

    s3-swat: Fix typo.
    
    Thanks to Simo for reporting!
    
    Karolin
    (cherry picked from commit 40787695a1a3200421c9409eef9e520b849ee3a1)

commit 57501dbfe425d53c0b20ce5a1c140e2d408cbc4c
Author: Kai Blin <kai at samba.org>
Date:   Tue Jul 12 08:08:24 2011 +0200

    s3 swat: Create random nonce in CGI mode
    
    In CGI mode, we don't get access to the user's password, which would
    reduce the hash used so far to parameters an attacker can easily guess.
    To work around this, read the nonce from secrets.tdb or generate one if
    it's not there.
    Also populate the C_user field so we can use that for token creation.
    
    Signed-off-by: Kai Blin <kai at samba.org>
    
    The last 12 patches address bug #8290 (CSRF vulnerability in SWAT).
    This addresses CVE-2011-2522 (Cross-Site Request Forgery in SWAT).
    (cherry picked from commit a4922192d9b95e79bb31c54ca820a9b876a1bbe9)

commit 31364595d493d2795dd6b0b5c162c8d911d35e21
Author: Kai Blin <kai at samba.org>
Date:   Sat Jul 9 09:52:07 2011 +0200

    s3 swat: Add time component to XSRF token
    
    Signed-off-by: Kai Blin <kai at samba.org>
    (cherry picked from commit 0b811f5b825637b2ecb0450d24dc6b3425ad05a8)

commit e4fe62ff8d558f3f2bfe22fd880f76e69162e2f8
Author: Kai Blin <kai at samba.org>
Date:   Fri Jul 8 15:06:13 2011 +0200

    s3 swat: Add XSRF protection to printer page
    
    Signed-off-by: Kai Blin <kai at samba.org>
    (cherry picked from commit deb66470413780c93656294a1dca40f8cc1bada8)

commit 78bee109191146c10bb0fd751dfa845d4796668d
Author: Kai Blin <kai at samba.org>
Date:   Fri Jul 8 15:05:38 2011 +0200

    s3 swat: Add XSRF protection to password page
    
    Signed-off-by: Kai Blin <kai at samba.org>
    (cherry picked from commit e4e6195701d761326ad5f2dbb63aeb71b0dc7971)

commit 68c94f82a5f0be5e7efe0bc12a3d7fd8b8174cd8
Author: Kai Blin <kai at samba.org>
Date:   Fri Jul 8 15:04:48 2011 +0200

    s3 swat: Add XSRF protection to shares page
    
    Signed-off-by: Kai Blin <kai at samba.org>
    (cherry picked from commit 9839935c29ec0ab522994436e6e89939696409de)

commit ac070b0e400bfe74c77331308e10db6da4e53ab9
Author: Kai Blin <kai at samba.org>
Date:   Fri Jul 8 15:04:12 2011 +0200

    s3 swat: Add XSRF protection to globals page
    
    Signed-off-by: Kai Blin <kai at samba.org>
    (cherry picked from commit 6ea5fac27f2fef35ea12c24250948e00245aacee)

commit b7af3ce33f4d640d83e3afbe3da487b6782df976
Author: Kai Blin <kai at samba.org>
Date:   Fri Jul 8 15:03:44 2011 +0200

    s3 swat: Add XSRF protection to wizard page
    
    Signed-off-by: Kai Blin <kai at samba.org>
    (cherry picked from commit d499c09fc7bf6d86e9694bc8dc60b96c80d94c35)

commit b8b08f7083a469a75ac21be52d637f453e652825
Author: Kai Blin <kai at samba.org>
Date:   Fri Jul 8 15:03:15 2011 +0200

    s3 swat: Add XSRF protection to wizard_params page
    
    Signed-off-by: Kai Blin <kai at samba.org>
    (cherry picked from commit 4b64b7e57d729df996d0734444415f12c066b89f)

commit 4c5f175064bcbb8c404cba90f9f08f623275c6de
Author: Kai Blin <kai at samba.org>
Date:   Fri Jul 8 15:02:53 2011 +0200

    s3 swat: Add XSRF protection to viewconfig page
    
    Signed-off-by: Kai Blin <kai at samba.org>
    (cherry picked from commit b25d00e3c1ff91e7ec5f56ec2ad0d6b3d635d1e3)

commit 4649eea66824a8096ea8d8faa63b804ba5336227
Author: Kai Blin <kai at samba.org>
Date:   Fri Jul 8 12:58:53 2011 +0200

    s3 swat: Add XSRF protection to status page
    
    Signed-off-by: Kai Blin <kai at samba.org>
    (cherry picked from commit 8af2d4c60a9bad18ef1b37d4034f11c6008efcfa)

commit 387ab46cfc6d501fefe6b5fcdf266c0280cbcd95
Author: Kai Blin <kai at samba.org>
Date:   Fri Jul 8 12:57:43 2011 +0200

    s3 swat: Add support for anti-XSRF token
    
    Signed-off-by: Kai Blin <kai at samba.org>
    (cherry picked from commit 69ebd0eee88b1b4b8e29a7620e01c8d9c89b452a)

commit 2c46845dee2dfcb90cf04951d6348b93210acc4f
Author: Kai Blin <kai at samba.org>
Date:   Fri Jul 8 12:56:21 2011 +0200

    s3 swat: Allow getting the user's HTTP auth password
    
    Signed-off-by: Kai Blin <kai at samba.org>
    (cherry picked from commit dffaf0ed0bb7f38c23f15b0b128a5eb39a55a813)

commit de91a834def9726cdf24007f18e028b761b57e83
Author: Kai Blin <kai at samba.org>
Date:   Thu Jul 7 10:03:33 2011 +0200

    s3 swat: Fix possible XSS attack (bug #8289)
    
    Nobuhiro Tsuji of NTT DATA SECURITY CORPORATION reported a possible XSS attack
    against SWAT, the Samba Web Administration Tool. The attack uses reflection to
    insert arbitrary content into the "change password" page.
    
    This patch fixes the reflection issue by not printing user-specified content on
    the website anymore.
    
    Signed-off-by: Kai Blin <kai at samba.org>
    (cherry picked from commit 05fa09be5a801baa5d35014e2f54b46c1ff5466b)

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt             |   45 +++++++++++-
 source3/VERSION          |    2 +-
 source3/web/cgi.c        |   29 +++++++-
 source3/web/statuspage.c |    7 ++
 source3/web/swat.c       |  175 +++++++++++++++++++++++++++++++++++++--------
 source3/web/swat_proto.h |    6 ++
 6 files changed, 229 insertions(+), 35 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b14e254..abb8cd7 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,45 @@
                    ==============================
+                   Release Notes for Samba 3.4.15
+			   , 2011
+                   ==============================
+
+
+This is the latest stable release of Samba 3.4.
+
+Major enhancements in Samba 3.4.15 include:
+
+
+Changes since 3.4.14
+--------------------
+
+
+o   
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.4 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older versions follow:
+----------------------------------------
+
+                   ==============================
                    Release Notes for Samba 3.4.14
 			  , 2011
                    ==============================
@@ -36,8 +77,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older versions follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    ==============================
                    Release Notes for Samba 3.4.13
diff --git a/source3/VERSION b/source3/VERSION
index e812712..59adb68 100644
--- a/source3/VERSION
+++ b/source3/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=4
-SAMBA_VERSION_RELEASE=14
+SAMBA_VERSION_RELEASE=15
 
 ########################################################
 # Bug fix releases use a letter for the patch revision #
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index dd0aadb..db374e2 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -19,6 +19,8 @@
 
 #include "includes.h"
 #include "web/swat_proto.h"
+#include "secrets.h"
+#include "../lib/util/util.h"
 
 #define MAX_VARIABLES 10000
 
@@ -42,6 +44,7 @@ static char *query_string;
 static const char *baseurl;
 static char *pathinfo;
 static char *C_user;
+static char *C_pass;
 static bool inetd_server;
 static bool got_request;
 
@@ -320,7 +323,23 @@ static void cgi_web_auth(void)
 		exit(0);
 	}
 
-	setuid(0);
+	C_user = SMB_STRDUP(user);
+
+	if (!setuid(0)) {
+		C_pass = secrets_fetch_generic("root", "SWAT");
+		if (C_pass == NULL) {
+			char *tmp_pass = NULL;
+			tmp_pass = generate_random_str(talloc_tos(), 16);
+			if (tmp_pass == NULL) {
+				printf("%sFailed to create random nonce for "
+				       "SWAT session\n<br>%s\n", head, tail);
+				exit(0);
+			}
+			secrets_store_generic("root", "SWAT", tmp_pass);
+			C_pass = SMB_STRDUP(tmp_pass);
+			TALLOC_FREE(tmp_pass);
+		}
+	}
 	setuid(pwd->pw_uid);
 	if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
 		printf("%sFailed to become user %s - uid=%d/%d<br>%s\n", 
@@ -388,6 +407,7 @@ static bool cgi_handle_authorization(char *line)
 			
 			/* Save the users name */
 			C_user = SMB_STRDUP(user);
+			C_pass = SMB_STRDUP(user_pass);
 			TALLOC_FREE(pass);
 			return True;
 		}
@@ -422,6 +442,13 @@ char *cgi_user_name(void)
         return(C_user);
 }
 
+/***************************************************************************
+return a ptr to the users password
+  ***************************************************************************/
+char *cgi_user_pass(void)
+{
+        return(C_pass);
+}
 
 /***************************************************************************
 handle a file download
diff --git a/source3/web/statuspage.c b/source3/web/statuspage.c
index 7dd1cf5..cb8dbdd 100644
--- a/source3/web/statuspage.c
+++ b/source3/web/statuspage.c
@@ -247,9 +247,14 @@ void status_page(void)
 	int nr_running=0;
 	bool waitup = False;
 	TALLOC_CTX *ctx = talloc_stackframe();
+	const char form_name[] = "status";
 
 	smbd_pid = pid_to_procid(pidfile_pid("smbd"));
 
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
+
 	if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) {
 		stop_smbd();
 		start_smbd();
@@ -326,9 +331,11 @@ void status_page(void)
 
 	initPid2Machine ();
 
+output_page:
 	printf("<H2>%s</H2>\n", _("Server Status"));
 
 	printf("<FORM method=post>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
 	if (!autorefresh) {
 		printf("<input type=submit value=\"%s\" name=\"autorefresh\">\n", _("Auto Refresh"));
diff --git a/source3/web/swat.c b/source3/web/swat.c
index 6741082..b358956 100644
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -29,6 +29,7 @@
 
 #include "includes.h"
 #include "web/swat_proto.h"
+#include "../lib/crypto/md5.h"
 
 static int demo_mode = False;
 static int passwd_only = False;
@@ -50,6 +51,9 @@ static int iNumNonAutoPrintServices = 0;
 #define DISABLE_USER_FLAG "disable_user_flag"
 #define ENABLE_USER_FLAG "enable_user_flag"
 #define RHOST "remote_host"
+#define XSRF_TOKEN "xsrf"
+#define XSRF_TIME "xsrf_time"
+#define XSRF_TIMEOUT 300
 
 #define _(x) lang_msg_rotate(talloc_tos(),x)
 
@@ -138,6 +142,76 @@ static char *make_parm_name(const char *label)
 	return parmname;
 }
 
+void get_xsrf_token(const char *username, const char *pass,
+		    const char *formname, time_t xsrf_time, char token_str[33])
+{
+	struct MD5Context md5_ctx;
+	uint8_t token[16];
+	int i;
+
+	token_str[0] = '\0';
+	ZERO_STRUCT(md5_ctx);
+	MD5Init(&md5_ctx);
+
+	MD5Update(&md5_ctx, (uint8_t *)formname, strlen(formname));
+	MD5Update(&md5_ctx, (uint8_t *)&xsrf_time, sizeof(time_t));
+	if (username != NULL) {
+		MD5Update(&md5_ctx, (uint8_t *)username, strlen(username));
+	}
+	if (pass != NULL) {
+		MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
+	}
+
+	MD5Final(token, &md5_ctx);
+
+	for(i = 0; i < sizeof(token); i++) {
+		char tmp[3];
+
+		snprintf(tmp, sizeof(tmp), "%02x", token[i]);
+		strncat(token_str, tmp, sizeof(tmp));
+	}
+}
+
+void print_xsrf_token(const char *username, const char *pass,
+		      const char *formname)
+{
+	char token[33];
+	time_t xsrf_time = time(NULL);
+
+	get_xsrf_token(username, pass, formname, xsrf_time, token);
+	printf("<input type=\"hidden\" name=\"%s\" value=\"%s\">\n",
+	       XSRF_TOKEN, token);
+	printf("<input type=\"hidden\" name=\"%s\" value=\"%lld\">\n",
+	       XSRF_TIME, (long long int)xsrf_time);
+}
+
+bool verify_xsrf_token(const char *formname)
+{
+	char expected[33];
+	const char *username = cgi_user_name();
+	const char *pass = cgi_user_pass();
+	const char *token = cgi_variable_nonull(XSRF_TOKEN);
+	const char *time_str = cgi_variable_nonull(XSRF_TIME);
+	time_t xsrf_time = 0;
+	time_t now = time(NULL);
+
+	if (sizeof(time_t) == sizeof(int)) {
+		xsrf_time = atoi(time_str);
+	} else if (sizeof(time_t) == sizeof(long)) {
+		xsrf_time = atol(time_str);
+	} else if (sizeof(time_t) == sizeof(long long)) {
+		xsrf_time = atoll(time_str);
+	}
+
+	if (abs(now - xsrf_time) > XSRF_TIMEOUT) {
+		return false;
+	}
+
+	get_xsrf_token(username, pass, formname, xsrf_time, expected);
+	return (strncmp(expected, token, sizeof(expected)) == 0);
+}
+
+
 /****************************************************************************
   include a lump of html in a page 
 ****************************************************************************/
@@ -611,13 +685,20 @@ static void welcome_page(void)
 static void viewconfig_page(void)
 {
 	int full_view=0;
+	const char form_name[] = "viewconfig";
+
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
 
 	if (cgi_variable("full_view")) {
 		full_view = 1;
 	}
 
+output_page:
 	printf("<H2>%s</H2>\n", _("Current Config"));
 	printf("<form method=post>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
 	if (full_view) {
 		printf("<input type=submit name=\"normal_view\" value=\"%s\">\n", _("Normal View"));
@@ -637,18 +718,25 @@ static void viewconfig_page(void)
 static void wizard_params_page(void)
 {
 	unsigned int parm_filter = FLAG_WIZARD;
+	const char form_name[] = "wizard_params";
 
 	/* Here we first set and commit all the parameters that were selected
  	   in the previous screen. */
 
 	printf("<H2>%s</H2>\n", _("Wizard Parameter Edit Page"));
 
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
+
 	if (cgi_variable("Commit")) {
 		commit_parameters(GLOBAL_SECTION_SNUM);
 		save_reload(0);
 	}
 
+output_page:
 	printf("<form name=\"swatform\" method=post action=wizard_params>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
 	if (have_write_access) {
 		printf("<input type=submit name=\"Commit\" value=\"Commit Changes\">\n");
@@ -684,6 +772,11 @@ static void wizard_page(void)
 	int have_home = -1;
 	int HomeExpo = 0;
 	int SerType = 0;
+	const char form_name[] = "wizard";
+
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
 
 	if (cgi_variable("Rewrite")) {
 		(void) rewritecfg_file();
@@ -774,10 +867,12 @@ static void wizard_page(void)
 		winstype = 3;
 
 	role = lp_server_role();
-	
+
+output_page:
 	/* Here we go ... */
 	printf("<H2>%s</H2>\n", _("Samba Configuration Wizard"));
 	printf("<form method=post action=wizard>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
 	if (have_write_access) {
 		printf("%s\n", _("The \"Rewrite smb.conf file\" button will clear the smb.conf file of all default values and of comments."));
@@ -846,9 +941,14 @@ static void globals_page(void)
 {
 	unsigned int parm_filter = FLAG_BASIC;
 	int mode = 0;
+	const char form_name[] = "globals";
 
 	printf("<H2>%s</H2>\n", _("Global Parameters"));
 
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
+
 	if (cgi_variable("Commit")) {
 		commit_parameters(GLOBAL_SECTION_SNUM);
 		save_reload(0);
@@ -861,7 +961,9 @@ static void globals_page(void)
 	if ( cgi_variable("AdvMode"))
 		mode = 1;
 
+output_page:
 	printf("<form name=\"swatform\" method=post action=globals>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
 
 	ViewModeBoxes( mode );
 	switch ( mode ) {
@@ -901,11 +1003,17 @@ static void shares_page(void)
 	int mode = 0;
 	unsigned int parm_filter = FLAG_BASIC;
 	size_t converted_size;
+	const char form_name[] = "shares";
+
+	printf("<H2>%s</H2>\n", _("Share Parameters"));
+
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
 
 	if (share)
 		snum = lp_servicenumber(share);
 
-	printf("<H2>%s</H2>\n", _("Share Parameters"));
 
 	if (cgi_variable("Commit") && snum >= 0) {
 		commit_parameters(snum);
@@ -931,10 +1039,6 @@ static void shares_page(void)
 		}
 	}
 
-	printf("<FORM name=\"swatform\" method=post>\n");
-
-	printf("<table>\n");
-
 	if ( cgi_variable("ViewMode") )
 		mode = atoi(cgi_variable_nonull("ViewMode"));
 	if ( cgi_variable("BasicMode"))
@@ -942,6 +1046,12 @@ static void shares_page(void)
 	if ( cgi_variable("AdvMode"))
 		mode = 1;
 
+output_page:
+	printf("<FORM name=\"swatform\" method=post>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+
+	printf("<table>\n");
+
 	ViewModeBoxes( mode );
 	switch ( mode ) {
 		case 0:
@@ -1121,11 +1231,9 @@ static void chg_passwd(void)
 	if(cgi_variable(CHG_S_PASSWD_FLAG)) {
 		printf("<p>");
 		if (rslt == True) {
-			printf(_(" The passwd for '%s' has been changed."), cgi_variable_nonull(SWAT_USER));
-			printf("\n");
+			printf("%s\n", _(" The passwd has been changed."));
 		} else {
-			printf(_(" The passwd for '%s' has NOT been changed."), cgi_variable_nonull(SWAT_USER));
-			printf("\n");
+			printf("%s\n", _(" The passwd has NOT been changed."));
 		}
 	}
 	
@@ -1138,20 +1246,15 @@ static void chg_passwd(void)
 static void passwd_page(void)
 {
 	const char *new_name = cgi_user_name();
-
-	/* 
-	 * After the first time through here be nice. If the user
-	 * changed the User box text to another users name, remember it.
-	 */
-	if (cgi_variable(SWAT_USER)) {
-		new_name = cgi_variable_nonull(SWAT_USER);
-	} 
+	const char passwd_form[] = "passwd";
+	const char rpasswd_form[] = "rpasswd";
 
 	if (!new_name) new_name = "";
 
 	printf("<H2>%s</H2>\n", _("Server Password Management"));
 
 	printf("<FORM name=\"swatform\" method=post>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), passwd_form);
 
 	printf("<table>\n");
 
@@ -1191,14 +1294,16 @@ static void passwd_page(void)
 	 * Do some work if change, add, disable or enable was
 	 * requested. It could be this is the first time through this
 	 * code, so there isn't anything to do.  */
-	if ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) ||
-	    (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG))) {
+	if (verify_xsrf_token(passwd_form) &&
+	   ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) ||
+	    (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG)))) {
 		chg_passwd();		
 	}
 
 	printf("<H2>%s</H2>\n", _("Client/Server Password Management"));
 
 	printf("<FORM name=\"swatform\" method=post>\n");
+	print_xsrf_token(cgi_user_name(), cgi_user_pass(), rpasswd_form);
 
 	printf("<table>\n");
 
@@ -1231,7 +1336,7 @@ static void passwd_page(void)
 	 * password somewhere other than the server. It could be this
 	 * is the first time through this code, so there isn't
 	 * anything to do.  */
-	if (cgi_variable(CHG_R_PASSWD_FLAG)) {
+	if (verify_xsrf_token(passwd_form) && cgi_variable(CHG_R_PASSWD_FLAG)) {
 		chg_passwd();		
 	}
 
@@ -1248,18 +1353,15 @@ static void printers_page(void)
 	int i;
 	int mode = 0;
 	unsigned int parm_filter = FLAG_BASIC;
+	const char form_name[] = "printers";
+
+	if (!verify_xsrf_token(form_name)) {
+		goto output_page;
+	}
 
 	if (share)
 		snum = lp_servicenumber(share);
 
-        printf("<H2>%s</H2>\n", _("Printer Parameters"));
- 
-        printf("<H3>%s</H3>\n", _("Important Note:"));
-        printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box "));
-        printf("%s",_("are autoloaded printers from "));
-        printf("<A HREF=\"/swat/help/smb.conf.5.html#printcapname\" target=\"docs\">%s</A>\n", _("Printcap Name"));
-        printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect."));
-


-- 
Samba Shared Repository


More information about the samba-cvs mailing list