From 3643958c95913d83a3417924f67517e6b2b41ff7 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Mon, 21 Dec 2015 10:47:54 -0500
Subject: Only disable CSRF on diag_backup.php for the download action where it
 might be scripted. Other actions need its protection.

---
 usr/local/www/diag_backup.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'usr')

diff --git a/usr/local/www/diag_backup.php b/usr/local/www/diag_backup.php
index ddab190..cf4c664 100644
--- a/usr/local/www/diag_backup.php
+++ b/usr/local/www/diag_backup.php
@@ -50,7 +50,9 @@ ini_set('max_input_time', '0');
 
 /* omit no-cache headers because it confuses IE with file downloads */
 $omit_nocacheheaders = true;
-$nocsrf = true;
+if (stristr($_POST['Submit'], gettext("Download"))) {
+	$nocsrf = true;
+}
 require("guiconfig.inc");
 require_once("functions.inc");
 require_once("filter.inc");
-- 
cgit v1.1