From feaf3ac45931b85127a8f1a4e8ed8416651016e3 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Sat, 9 Nov 2024 18:09:52 +0100 Subject: [PATCH] WebAdmin: check CSRF header when deleting blocked hosts Signed-off-by: Nicola Murino --- internal/httpd/server.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/httpd/server.go b/internal/httpd/server.go index 4c798c94..964462aa 100644 --- a/internal/httpd/server.go +++ b/internal/httpd/server.go @@ -1786,8 +1786,8 @@ func (s *httpdServer) setupWebAdminRoutes() { router.With(s.checkPerm(dataprovider.PermAdminManageSystem)).Post(webTemplateFolder, s.handleWebTemplateFolderPost) router.With(s.checkPerm(dataprovider.PermAdminViewDefender)).Get(webDefenderPath, s.handleWebDefenderPage) router.With(s.checkPerm(dataprovider.PermAdminViewDefender)).Get(webDefenderHostsPath, getDefenderHosts) - router.With(s.checkPerm(dataprovider.PermAdminManageDefender)).Delete(webDefenderHostsPath+"/{id}", - deleteDefenderHostByID) + router.With(s.checkPerm(dataprovider.PermAdminManageDefender), verifyCSRFHeader). + Delete(webDefenderHostsPath+"/{id}", deleteDefenderHostByID) router.With(s.checkPerm(dataprovider.PermAdminManageEventRules), compressor.Handler, s.refreshCookie). Get(webAdminEventActionsPath+jsonAPISuffix, getAllActions) router.With(s.checkPerm(dataprovider.PermAdminManageEventRules), s.refreshCookie).