diff options
author | Steven Barth <steven@midlink.org> | 2008-12-15 10:40:45 +0000 |
---|---|---|
committer | Steven Barth <steven@midlink.org> | 2008-12-15 10:40:45 +0000 |
commit | 1ee5ba632ab52b5d3af5c88803fee89c8eaf6fe1 (patch) | |
tree | c71bbbb5247bb5f2a48f1f5e78d90dfe71d424b3 /libs/web/luasrc | |
parent | 73109f3e46bc112faa9ebac16417b423d8661645 (diff) |
Refined urltokens and XSRF protection
Diffstat (limited to 'libs/web/luasrc')
-rw-r--r-- | libs/web/luasrc/dispatcher.lua | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/libs/web/luasrc/dispatcher.lua b/libs/web/luasrc/dispatcher.lua index 1fbdb7150..33b95840a 100644 --- a/libs/web/luasrc/dispatcher.lua +++ b/libs/web/luasrc/dispatcher.lua @@ -47,7 +47,12 @@ local fi -- @param ... Virtual path -- @return Relative URL function build_url(...) - return context.scriptname .. "/" .. table.concat(arg, "/") + local path = {...} + local sn = http.getenv("SCRIPT_NAME") or "" + for k, v in pairs(context.urltoken) do + sn = sn .. "/;" .. k .. "=" .. http.urlencode(v) + end + return sn .. ((#path > 0) and "/" .. table.concat(path, "/") or "") end --- Send a 404 error code and render the "error404" template if available. @@ -123,7 +128,6 @@ function dispatch(request) --context._disable_memtrace = require "luci.debug".trap_memtrace() local ctx = context ctx.path = request - ctx.scriptname = luci.http.getenv("SCRIPT_NAME") or "" ctx.urltoken = ctx.urltoken or {} require "luci.i18n".setlanguage(require "luci.config".main.lang) @@ -174,11 +178,6 @@ function dispatch(request) end end - for k, v in pairs(token) do - ctx.scriptname = ctx.scriptname .. "/;" .. k .. "=" .. - http.urlencode(v) - end - ctx.path = preq if track.i18n then @@ -202,9 +201,9 @@ function dispatch(request) local viewns = setmetatable({}, {__index=function(table, key) if key == "controller" then - return ctx.scriptname + return build_url() elseif key == "REQUEST_URI" then - return ctx.scriptname .. "/" .. table.concat(ctx.requested, "/") + return build_url(ctx.requested) else return rawget(table, key) or _G[key] end @@ -232,10 +231,11 @@ function dispatch(request) local def = (type(track.sysauth) == "string") and track.sysauth local accs = def and {track.sysauth} or track.sysauth local sess = ctx.authsession - local verifytoken = true + local verifytoken = false if not sess then sess = luci.http.getcookie("sysauth") sess = sess and sess:match("^[A-F0-9]+$") + verifytoken = true end local sdat = sauth.read(sess) @@ -250,12 +250,12 @@ function dispatch(request) if not util.contains(accs, user) then if authen then + ctx.urltoken.stok = nil local user, sess = authen(luci.sys.user.checkpasswd, accs, def) if not user or not util.contains(accs, user) then return else local sid = sess or luci.sys.uniqueid(16) - luci.http.header("Set-Cookie", "sysauth=" .. sid.."; path=/") if not sess then local token = luci.sys.uniqueid(16) sauth.write(sid, util.get_bytecode({ @@ -263,8 +263,9 @@ function dispatch(request) token=token, secret=luci.sys.uniqueid(16) })) - ctx.scriptname = ctx.scriptname .. "/;stok="..token + ctx.urltoken.stok = token end + luci.http.header("Set-Cookie", "sysauth=" .. sid.."; path="..build_url()) ctx.authsession = sid end else |