summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorSteven Barth <steven@midlink.org>2008-07-16 14:26:40 +0000
committerSteven Barth <steven@midlink.org>2008-07-16 14:26:40 +0000
commit66a6492ae5aa9779af6d22eaddf0f5f253ed1189 (patch)
tree2b6b0ffb33b9b17a38ea51dc0c9dcf2790850310
parent65cde96c5b05e04c24b0f272b577df67193d7c0b (diff)
libs/web: Prevent luci.http to prematurely parse the POST data
modules/admin-mini: Added fw-upgrade page
-rw-r--r--applications/luci-statistics/luasrc/controller/luci_statistics/luci_statistics.lua2
-rw-r--r--libs/web/luasrc/http.lua4
-rw-r--r--modules/admin-full/luasrc/controller/admin/system.lua29
-rw-r--r--modules/admin-mini/luasrc/controller/mini/system.lua62
-rw-r--r--modules/admin-mini/luasrc/view/mini/passwd.htm49
-rw-r--r--modules/admin-mini/luasrc/view/mini/upgrade.htm47
6 files changed, 183 insertions, 10 deletions
diff --git a/applications/luci-statistics/luasrc/controller/luci_statistics/luci_statistics.lua b/applications/luci-statistics/luasrc/controller/luci_statistics/luci_statistics.lua
index 67ea8a6f0..f16a655dc 100644
--- a/applications/luci-statistics/luasrc/controller/luci_statistics/luci_statistics.lua
+++ b/applications/luci-statistics/luasrc/controller/luci_statistics/luci_statistics.lua
@@ -80,7 +80,7 @@ function index()
page.setuser = "nobody"
page.setgroup = "nogroup"
- local vars = luci.http.formvalue()
+ local vars = luci.http.formvalue(nil, true)
local span = vars.timespan or nil
for i, plugin in luci.util.vspairs( tree:plugins() ) do
diff --git a/libs/web/luasrc/http.lua b/libs/web/luasrc/http.lua
index dbfcad777..6838220ce 100644
--- a/libs/web/luasrc/http.lua
+++ b/libs/web/luasrc/http.lua
@@ -51,8 +51,8 @@ function Request.__init__(self, env, sourcein, sinkerr)
self.parsed_input = false
end
-function Request.formvalue(self, name)
- if not self.parsed_input then
+function Request.formvalue(self, name, noparse)
+ if not noparse and not self.parsed_input then
self:_parse_input()
end
diff --git a/modules/admin-full/luasrc/controller/admin/system.lua b/modules/admin-full/luasrc/controller/admin/system.lua
index 862a741cd..14fd813c3 100644
--- a/modules/admin-full/luasrc/controller/admin/system.lua
+++ b/modules/admin-full/luasrc/controller/admin/system.lua
@@ -197,13 +197,30 @@ end
function action_upgrade()
require("luci.model.uci")
+
local ret = nil
local plat = luci.fs.mtime("/lib/upgrade/platform.sh")
-
- local image = luci.http.upload("image")
+ local tmpfile = "/tmp/firmware.img"
+
+ local file
+ luci.http.setfilehandler(
+ function(meta, chunk, eof)
+ if not file then
+ file = io.open(tmpfile, "w")
+ end
+ if chunk then
+ file:write(chunk)
+ end
+ if eof then
+ file:close()
+ end
+ end
+ )
+
+ local fname = luci.http.formvalue("image")
local keepcfg = luci.http.formvalue("keepcfg")
-
- if plat and image then
+
+ if plat and fname then
local kpattern = nil
if keepcfg then
local files = luci.model.uci.get_all("luci", "flash_keep")
@@ -214,8 +231,8 @@ function action_upgrade()
end
end
end
- ret = luci.sys.flash(image, kpattern)
+ ret = luci.sys.flash(tmpfile, kpattern)
end
-
+
luci.template.render("admin_system/upgrade", {sysupgrade=plat, ret=ret})
end \ No newline at end of file
diff --git a/modules/admin-mini/luasrc/controller/mini/system.lua b/modules/admin-mini/luasrc/controller/mini/system.lua
index 7b13e20c6..3b3fea228 100644
--- a/modules/admin-mini/luasrc/controller/mini/system.lua
+++ b/modules/admin-mini/luasrc/controller/mini/system.lua
@@ -20,7 +20,9 @@ function index()
local i18n = luci.i18n.translate
entry({"mini", "system"}, call("action_reboot"), i18n("system"))
- entry({"mini", "system", "reboot"}, call("action_reboot"), i18n("reboot"), 10)
+ entry({"admin", "system", "passwd"}, call("action_passwd"), i18n("a_s_changepw"), 10)
+ entry({"mini", "system", "upgrade"}, call("action_upgrade"), i18n("a_s_flash"), 20)
+ entry({"mini", "system", "reboot"}, call("action_reboot"), i18n("reboot"), 30)
end
function action_reboot()
@@ -29,4 +31,62 @@ function action_reboot()
if reboot then
luci.sys.reboot()
end
+end
+
+function action_upgrade()
+ require("luci.model.uci")
+
+ local ret = nil
+ local plat = luci.fs.mtime("/lib/upgrade/platform.sh")
+ local tmpfile = "/tmp/firmware.img"
+
+ local file
+ luci.http.setfilehandler(
+ function(meta, chunk, eof)
+ if not file then
+ file = io.open(tmpfile, "w")
+ end
+ if chunk then
+ file:write(chunk)
+ end
+ if eof then
+ file:close()
+ end
+ end
+ )
+
+ local fname = luci.http.formvalue("image")
+ local keepcfg = luci.http.formvalue("keepcfg")
+
+ if plat and fname then
+ local kpattern = nil
+ if keepcfg then
+ local files = luci.model.uci.get_all("luci", "flash_keep")
+ if files.luci and files.luci.flash_keep then
+ kpattern = ""
+ for k,v in pairs(files.luci.flash_keep) do
+ kpattern = kpattern .. " " .. v
+ end
+ end
+ end
+ ret = luci.sys.flash(tmpfile, kpattern)
+ end
+
+ luci.template.render("mini/upgrade", {sysupgrade=plat, ret=ret})
+end
+
+function action_passwd()
+ local p1 = luci.http.formvalue("pwd1")
+ local p2 = luci.http.formvalue("pwd2")
+ local stat = nil
+
+ if p1 or p2 then
+ if p1 == p2 then
+ stat = luci.sys.user.setpasswd("root", p1)
+ else
+ stat = 10
+ end
+ end
+
+ luci.template.render("mini/passwd", {stat=stat})
end \ No newline at end of file
diff --git a/modules/admin-mini/luasrc/view/mini/passwd.htm b/modules/admin-mini/luasrc/view/mini/passwd.htm
new file mode 100644
index 000000000..176abaea2
--- /dev/null
+++ b/modules/admin-mini/luasrc/view/mini/passwd.htm
@@ -0,0 +1,49 @@
+<%#
+LuCI - Lua Configuration Interface
+Copyright 2008 Steven Barth <steven@midlink.org>
+Copyright 2008 Jo-Philipp Wich <xm@leipzig.freifunk.net>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+$Id$
+
+-%>
+<%+header%>
+<h1><%:system%></h1>
+<h2><%:a_s_changepw%></h2>
+<p><%:a_s_changepw1%></p>
+<div><br />
+<% if stat then %>
+ <% if stat == 0 then %>
+ <code><%:a_s_changepw_changed%>!</code>
+ <% elseif stat == 10 then %>
+ <code class="error"><%:a_s_changepw_nomatch%>!</code>
+ <% else %>
+ <code class="error"><%:unknownerror%>!</code>
+ <% end %>
+<% end %>
+<% if not stat or stat == 10 then %>
+ <form method="post" action="<%=controller%>/admin/system/passwd">
+ <div class="cbi-section-node">
+ <div class="cbi-value">
+ <div class="cbi-value-title"><%:password%></div>
+ <div class="cbi-value-field"><input type="password" name="pwd1" /></div>
+ </div>
+ <div class="cbi-value">
+ <div class="cbi-value-title"><%:confirmation%></div>
+ <div class="cbi-value-field"><input type="password" name="pwd2" /></div>
+ </div>
+ <br />
+ <div>
+ <input type="submit" value="<%:save%>" />
+ <input type="reset" value="<%:reset%>" />
+ </div>
+ </div>
+ </form>
+<% end %>
+</div>
+<%+footer%> \ No newline at end of file
diff --git a/modules/admin-mini/luasrc/view/mini/upgrade.htm b/modules/admin-mini/luasrc/view/mini/upgrade.htm
new file mode 100644
index 000000000..912080222
--- /dev/null
+++ b/modules/admin-mini/luasrc/view/mini/upgrade.htm
@@ -0,0 +1,47 @@
+<%#
+LuCI - Lua Configuration Interface
+Copyright 2008 Steven Barth <steven@midlink.org>
+Copyright 2008 Jo-Philipp Wich <xm@leipzig.freifunk.net>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+$Id$
+
+-%>
+<%+header%>
+<h1><%:system%></h1>
+<h2><%:a_s_flash%></h2>
+<p><%:a_s_flash_upgrade1%></p>
+<br />
+<% if sysupgrade and not ret then %>
+<form method="post" action="<%=REQUEST_URI%>" enctype="multipart/form-data">
+ <div class="cbi-section-node">
+ <div class="cbi-value clear">
+ <div class="cbi-value-title left"><%:a_s_flash_fwimage%></div>
+ <div class="cbi-value-field"><input type="file" size="30" name="image" /></div>
+ </div>
+ <br />
+ <div class="cbi-value clear">
+ <input type="checkbox" name="keepcfg" value="1" checked="checked" />
+ <span class="bold"><%:a_s_flash_keepcfg%></span>
+ </div>
+ <br />
+ <div>
+ <input type="submit" value="<%:a_s_flash_fwupgrade%>" />
+ </div>
+ </div>
+</form>
+<% elseif ret then %>
+ <% if ret == 0 then %>
+<div class="ok"><%:a_s_flash_flashed%></div>
+ <% else %>
+<div class="error"><%:a_s_flash_flasherr%>! (<%:code%> <%=ret%>)</div>
+ <% end %>
+<% else %>
+<div class="error"><%:a_s_flash_notimplemented%></div>
+<% end %>
+<%+footer%> \ No newline at end of file