From 958d8b6bb4c2da66859325695b91d871e567a4fa Mon Sep 17 00:00:00 2001
From: ᴜɴᴋɴᴡᴏɴ <u@gogs.io>
Date: Sat, 21 Mar 2020 11:47:42 +0800
Subject: admin: use POST to run operations (#5997)

* admin: use POST to run operations

Fixed CSRF reported by Wenxu Wu of Tencent's Xuanwu Lab.

* Update CHANGELOG
---
 internal/cmd/web.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'internal/cmd')

diff --git a/internal/cmd/web.go b/internal/cmd/web.go
index fb7be88b..e8b8f57a 100644
--- a/internal/cmd/web.go
+++ b/internal/cmd/web.go
@@ -271,7 +271,7 @@ func runWeb(c *cli.Context) error {
 
 	// ***** START: Admin *****
 	m.Group("/admin", func() {
-		m.Get("", admin.Dashboard)
+		m.Combo("").Get(admin.Dashboard).Post(admin.Operation) // "/admin"
 		m.Get("/config", admin.Config)
 		m.Post("/config/test_mail", admin.SendTestMail)
 		m.Get("/monitor", admin.Monitor)
-- 
cgit v1.2.3