summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorJo-Philipp Wich <jo@mein.io>2018-05-05 19:51:20 +0200
committerJo-Philipp Wich <jo@mein.io>2018-05-05 19:56:26 +0200
commit6a1cdca34518fac1ca4ee2f77dad6ff60062bda5 (patch)
treea51b1f88575eed7c836e2cdd67c5404f84f9e966
parent9664fb3d81ac67f4045c9dfd1489e86a4305c6fc (diff)
luci-mod-rpc: fix authentication via query string parameter
Localize the `authenticatior()` and `session_retrieve()` functions into the `index()` function scope so that they're retained when extracting the function into the dispatcher bytecode cache. Also allow access to the global scope since upvalues do not work reliably due to the out-of-context byte code caching of index functions. Fixes https://github.com/openwrt/luci/issues/1300#issuecomment-381352765 Fixes feefc600e ("luci-mod-rpc: rework authentication and session handling") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-rw-r--r--modules/luci-mod-rpc/luasrc/controller/rpc.lua68
1 files changed, 30 insertions, 38 deletions
diff --git a/modules/luci-mod-rpc/luasrc/controller/rpc.lua b/modules/luci-mod-rpc/luasrc/controller/rpc.lua
index 3326d57a95..571ab7db57 100644
--- a/modules/luci-mod-rpc/luasrc/controller/rpc.lua
+++ b/modules/luci-mod-rpc/luasrc/controller/rpc.lua
@@ -2,50 +2,42 @@
-- Copyright 2008 Jo-Philipp Wich <jow@openwrt.org>
-- Licensed to the public under the Apache License 2.0.
-local require = require
-local pairs = pairs
-local print = print
-local pcall = pcall
-local table = table
-local type = type
-local tonumber = tonumber
-
-module "luci.controller.rpc"
-
-
-local function session_retrieve(sid, allowed_users)
- local util = require "luci.util"
- local sdat = util.ubus("session", "get", {
- ubus_rpc_session = sid
- })
-
- if type(sdat) == "table" and
- type(sdat.values) == "table" and
- type(sdat.values.token) == "string" and
- type(sdat.values.secret) == "string" and
- type(sdat.values.username) == "string" and
- util.contains(allowed_users, sdat.values.username)
- then
- return sid, sdat.values
- end
+module("luci.controller.rpc", package.seeall)
- return nil
-end
-local function authenticator(validator, accs)
- local auth = luci.http.formvalue("auth", true)
- or luci.http.getcookie("sysauth")
+function index()
+ local function session_retrieve(sid, allowed_users)
+ local util = require "luci.util"
+ local sdat = util.ubus("session", "get", {
+ ubus_rpc_session = sid
+ })
+
+ if type(sdat) == "table" and
+ type(sdat.values) == "table" and
+ type(sdat.values.token) == "string" and
+ type(sdat.values.secret) == "string" and
+ type(sdat.values.username) == "string" and
+ util.contains(allowed_users, sdat.values.username)
+ then
+ return sid, sdat.values
+ end
+
+ return nil
+ end
+
+ local function authenticator(validator, accs)
+ local http = require "luci.http"
+ local auth = http.formvalue("auth", true) or http.getcookie("sysauth")
- if auth then -- if authentication token was given
- local sid, sdat = session_retrieve(auth, accs)
- if sdat then -- if given token is valid
- return sdat.username, sid
+ if auth then -- if authentication token was given
+ local sid, sdat = session_retrieve(auth, accs)
+ if sdat then -- if given token is valid
+ return sdat.username, sid
+ end
+ http.status(403, "Forbidden")
end
- luci.http.status(403, "Forbidden")
end
-end
-function index()
local rpc = node("rpc")
rpc.sysauth = "root"
rpc.sysauth_authenticator = authenticator