diff options
| author | Jo-Philipp Wich <jow@openwrt.org> | 2015-10-20 22:17:23 +0200 |
|---|---|---|
| committer | Jo-Philipp Wich <jow@openwrt.org> | 2015-10-20 22:17:23 +0200 |
| commit | 8bb749ecc3b5f7f836f744f0056e90ac78522926 (patch) | |
| tree | 9a461a1a779f8b2b484cee6784cd4dd2697a8193 /modules/luci-mod-admin-full/luasrc/view | |
| parent | 6b3f804956e50b3e3afc96bd866b089d4523c6e2 (diff) | |
luci-mod-admin-full: protect network post actions with csrf tokens
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Diffstat (limited to 'modules/luci-mod-admin-full/luasrc/view')
4 files changed, 43 insertions, 12 deletions
diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_network/diagnostics.htm b/modules/luci-mod-admin-full/luasrc/view/admin_network/diagnostics.htm index e06a88debe..685082a335 100644 --- a/modules/luci-mod-admin-full/luasrc/view/admin_network/diagnostics.htm +++ b/modules/luci-mod-admin-full/luasrc/view/admin_network/diagnostics.htm @@ -34,7 +34,7 @@ local has_traceroute6 = fs.access("/usr/bin/traceroute6") legend.parentNode.style.display = 'block'; legend.style.display = 'inline'; - stxhr.get('<%=url('admin/network')%>/diag_' + tool + protocol + '/' + addr, null, + stxhr.post('<%=url('admin/network')%>/diag_' + tool + protocol + '/' + addr, { token: '<%=token%>' }, function(x) { if (x.responseText) @@ -53,7 +53,7 @@ local has_traceroute6 = fs.access("/usr/bin/traceroute6") } //]]></script> -<form method="post" action="<%=pcdata(luci.http.getenv("REQUEST_URI"))%>"> +<form method="post" action="<%=url('admin/network/diagnostics')%>"> <div class="cbi-map"> <h2 name="content"><%:Diagnostics%></h2> diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_network/iface_overview.htm b/modules/luci-mod-admin-full/luasrc/view/admin_network/iface_overview.htm index 4cdf2df958..9a77f89106 100644 --- a/modules/luci-mod-admin-full/luasrc/view/admin_network/iface_overview.htm +++ b/modules/luci-mod-admin-full/luasrc/view/admin_network/iface_overview.htm @@ -49,7 +49,7 @@ s.innerHTML = '<%:Waiting for changes to be applied...%>'; } - XHR.get('<%=url('admin/network')%>/iface_' + (reconnect ? 'reconnect' : 'shutdown') + '/' + id, null, + (new XHR()).post('<%=url('admin/network')%>/iface_' + (reconnect ? 'reconnect' : 'shutdown') + '/' + id, { token: '<%=token%>' }, function(x) { if (s) @@ -66,6 +66,16 @@ ); } + function iface_delete(id) { + if (!confirm('<%:Really delete this interface? The deletion cannot be undone!\nYou might lose access to this device if you are connected via this interface.%>')) + return; + + (new XHR()).post('<%=url('admin/network/iface_delete')%>/' + id, { token: '<%=token%>' }, + function(x) { + location.href = '<%=url('admin/network/network')%>'; + } + ); + } var iwxhr = new XHR(); var wifidevs = <%=luci.http.write_json(netdevs)%>; @@ -240,7 +250,7 @@ <input type="button" class="cbi-button cbi-button-reload" style="width:100px" onclick="iface_shutdown('<%=net[1]%>', true)" title="<%:Reconnect this interface%>" value="<%:Connect%>" /> <input type="button" class="cbi-button cbi-button-reset" style="width:100px" onclick="iface_shutdown('<%=net[1]%>', false)" title="<%:Shutdown this interface%>" value="<%:Stop%>" /> <input type="button" class="cbi-button cbi-button-edit" style="width:100px" onclick="location.href='<%=url("admin/network/network", net[1])%>'" title="<%:Edit this interface%>" value="<%:Edit%>" id="<%=net[1]%>-ifc-edit" /> - <input type="button" class="cbi-button cbi-button-remove" style="width:100px" onclick="if (confirm('<%:Really delete this interface? The deletion cannot be undone!\nYou might lose access to this device if you are connected via this interface.%>')) location.href='<%=url("admin/network/iface_delete", net[1])%>'" title="<%:Delete this interface%>" value="<%:Delete%>" /> + <input type="submit" class="cbi-button cbi-button-remove" style="width:100px" onclick="iface_delete('<%=net[1]%>')" value="<%:Delete%>" /> </td> </tr> <% end %> diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_join.htm b/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_join.htm index 671d16ed03..3533c6fa4d 100644 --- a/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_join.htm +++ b/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_join.htm @@ -1,5 +1,5 @@ <%# - Copyright 2009 Jo-Philipp Wich <jow@openwrt.org> + Copyright 2009-2015 Jo-Philipp Wich <jow@openwrt.org> Licensed to the public under the Apache License 2.0. -%> @@ -109,7 +109,8 @@ <strong>Encryption:</strong> <%=format_wifi_encryption(net.encryption)%> </td> <td class="cbi-value-field" style="width:40px"> - <form action="<%=REQUEST_URI%>" method="post"> + <form action="<%=url('admin/network/wireless_join')%>" method="post"> + <input type="hidden" name="token" value="<%=token%>" /> <input type="hidden" name="device" value="<%=utl.pcdata(dev)%>" /> <input type="hidden" name="join" value="<%=utl.pcdata(net.ssid)%>" /> <input type="hidden" name="mode" value="<%=net.mode%>" /> @@ -138,7 +139,8 @@ <form class="inline" action="<%=url("admin/network/wireless")%>" method="get"> <input class="cbi-button cbi-button-reset" type="submit" value="<%:Back to overview%>" /> </form> - <form class="inline" action="<%=REQUEST_URI%>" method="get"> + <form class="inline" action="<%=url('admin/network/wireless_join')%>" method="post"> + <input type="hidden" name="token" value="<%=token%>" /> <input type="hidden" name="device" value="<%=utl.pcdata(dev)%>" /> <input class="cbi-button cbi-input-find" type="submit" value="<%:Repeat scan%>" /> </form> diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_overview.htm b/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_overview.htm index 17afe0d6c2..f82d06dcdc 100644 --- a/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_overview.htm +++ b/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_overview.htm @@ -149,7 +149,7 @@ st.innerHTML = '<em><%:Wireless is restarting...%></em>'; } - XHR.get('<%=url('admin/network')%>/wireless_' + (reconnect ? 'reconnect' : 'shutdown') + '/' + id, null, + (new XHR()).post('<%=url('admin/network')%>/wireless_' + (reconnect ? 'reconnect' : 'shutdown') + '/' + id, { token: '<%=token%>' }, function(x) { if (s) @@ -167,6 +167,17 @@ ); } + function wifi_delete(id) { + if (!confirm('<%:Really delete this wireless network? The deletion cannot be undone!\nYou might lose access to this device if you are connected via this network.%>')) + return; + + (new XHR()).post('<%=url('admin/network/wireless_delete')%>/' + id, { token: '<%=token%>' }, + function(x) { + location.href = '<%=url('admin/network/wireless')%>'; + } + ); + } + XHR.poll(5, '<%=url('admin/network/wireless_status', table.concat(netlist, ","))%>', null, function(x, st) { @@ -370,8 +381,16 @@ <span id="<%=dev:name()%>-iw-devinfo"></span> </td> <td style="width:310px;text-align:right"> - <input type="button" class="cbi-button cbi-button-find" style="width:100px" onclick="location.href='<%=url("admin/network/wireless_join")%>?device=<%=dev:name()%>'" title="<%:Find and join network%>" value="<%:Scan%>" /> - <input type="button" class="cbi-button cbi-button-add" style="width:100px" onclick="location.href='<%=url("admin/network/wireless_add")%>?device=<%=dev:name()%>'" title="<%:Provide new network%>" value="<%:Add%>" /> + <form action="<%=url('admin/network/wireless_join')%>" method="post" class="inline"> + <input type="hidden" name="device" value="<%=dev:name()%>" /> + <input type="hidden" name="token" value="<%=token%>" /> + <input type="submit" class="cbi-button cbi-button-find" style="width:100px" title="<%:Find and join network%>" value="<%:Scan%>" /> + </form> + <form action="<%=url('admin/network/wireless_add')%>" method="post" class="inline"> + <input type="hidden" name="device" value="<%=dev:name()%>" /> + <input type="hidden" name="token" value="<%=token%>" /> + <input type="submit" class="cbi-button cbi-button-add" style="width:100px" title="<%:Provide new network%>" value="<%:Add%>" /> + </form> </td> </tr> <!-- /physical device --> @@ -391,7 +410,7 @@ <td class="cbi-value-field" style="width:310px;text-align:right"> <input id="<%=net:id()%>-iw-toggle" type="button" class="cbi-button cbi-button-reload" style="width:100px" onclick="wifi_shutdown('<%=net:id()%>', this)" title="<%:Delete this network%>" value="<%:Enable%>" /> <input type="button" class="cbi-button cbi-button-edit" style="width:100px" onclick="location.href='<%=net:adminlink()%>'" title="<%:Edit this network%>" value="<%:Edit%>" /> - <input type="button" class="cbi-button cbi-button-remove" style="width:100px" onclick="if (confirm('<%:Really delete this wireless network? The deletion cannot be undone!\nYou might lose access to this device if you are connected via this network.%>')) location.href='<%=url("admin/network/wireless_delete", net:ifname())%>'" title="<%:Delete this network%>" value="<%:Remove%>" /> + <input type="button" class="cbi-button cbi-button-remove" style="width:100px" onclick="wifi_delete('<%=net:ifname()%>')" title="<%:Delete this network%>" value="<%:Remove%>" /> </td> </tr> <% end %> @@ -410,7 +429,7 @@ <% end %> - <h2 name="content"><%:Associated Stations%></h2> + <h2><%:Associated Stations%></h2> <fieldset class="cbi-section"> <table class="cbi-section-table" style="margin:10px" id="iw-assoclist"> |