From 7aac64531f1aa1401f9ba3a8cbd03696aae689aa Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Sat, 9 Nov 2024 18:09:52 +0100 Subject: [PATCH] WebAdmin: check CSRF header when deleting blocked hosts Signed-off-by: Nicola Murino --- internal/httpd/server.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/httpd/server.go b/internal/httpd/server.go index a4b276fe..840168ed 100644 --- a/internal/httpd/server.go +++ b/internal/httpd/server.go @@ -1809,8 +1809,8 @@ func (s *httpdServer) setupWebAdminRoutes() { router.With(s.checkPerm(dataprovider.PermAdminManageSystem)).Post(webTemplateFolder, s.handleWebTemplateFolderPost) router.With(s.checkPerm(dataprovider.PermAdminViewDefender)).Get(webDefenderPath, s.handleWebDefenderPage) router.With(s.checkPerm(dataprovider.PermAdminViewDefender)).Get(webDefenderHostsPath, getDefenderHosts) - router.With(s.checkPerm(dataprovider.PermAdminManageDefender)).Delete(webDefenderHostsPath+"/{id}", - deleteDefenderHostByID) + router.With(s.checkPerm(dataprovider.PermAdminManageDefender), s.verifyCSRFHeader). + Delete(webDefenderHostsPath+"/{id}", deleteDefenderHostByID) router.With(s.checkPerm(dataprovider.PermAdminManageEventRules), compressor.Handler, s.refreshCookie). Get(webAdminEventActionsPath+jsonAPISuffix, getAllActions) router.With(s.checkPerm(dataprovider.PermAdminManageEventRules), s.refreshCookie).