diff options
| author | Jo-Philipp Wich <jow@openwrt.org> | 2015-10-20 21:01:41 +0200 |
|---|---|---|
| committer | Jo-Philipp Wich <jow@openwrt.org> | 2015-10-20 21:04:46 +0200 |
| commit | b5826f1ffb19288b8bfdc63f4b77700cfabe1181 (patch) | |
| tree | 2beb4afbfb4cd2719f81bd92d6e27cb4b75879f7 /modules/luci-mod-admin-full/luasrc/view | |
| parent | 562c47e5fd73bacc314f561592ad1b4ce8b8dc48 (diff) | |
luci-mod-admin-full: protect clock, flash and opkg ops with submit token
* Use post_on() target to require csrf token verification for modifying actions
* Ensure that package and flash operation handlers guard modifying operations
with parameter check
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Diffstat (limited to 'modules/luci-mod-admin-full/luasrc/view')
3 files changed, 113 insertions, 93 deletions
diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_system/clock_status.htm b/modules/luci-mod-admin-full/luasrc/view/admin_system/clock_status.htm index 19be072fe..37d8ae0e8 100644 --- a/modules/luci-mod-admin-full/luasrc/view/admin_system/clock_status.htm +++ b/modules/luci-mod-admin-full/luasrc/view/admin_system/clock_status.htm @@ -17,8 +17,8 @@ btn.disabled = true; btn.value = '<%:Synchronizing...%>'; - XHR.get('<%=url('admin/system/clock_status')%>', - { set: Math.floor((new Date()).getTime() / 1000) }, + (new XHR()).post('<%=url('admin/system/clock_status')%>', + { token: '<%=token%>', set: Math.floor((new Date()).getTime() / 1000) }, function() { btn.disabled = false; diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_system/flashops.htm b/modules/luci-mod-admin-full/luasrc/view/admin_system/flashops.htm index bc8bcf488..8bf199294 100644 --- a/modules/luci-mod-admin-full/luasrc/view/admin_system/flashops.htm +++ b/modules/luci-mod-admin-full/luasrc/view/admin_system/flashops.htm @@ -1,6 +1,6 @@ <%# Copyright 2008 Steven Barth <steven@midlink.org> - Copyright 2008 Jo-Philipp Wich <jow@openwrt.org> + Copyright 2008-2015 Jo-Philipp Wich <jow@openwrt.org> Licensed to the public under the Apache License 2.0. -%> @@ -17,7 +17,9 @@ <fieldset class="cbi-section"> <legend><%:Backup / Restore%></legend> - <form method="post" action="<%=REQUEST_URI%>" enctype="multipart/form-data"> + <form method="post" action="<%=url('admin/system/flashops')%>" enctype="multipart/form-data"> + <input type="hidden" name="exec" value="1" /> + <input type="hidden" name="token" value="<%=token%>" /> <div class="cbi-section-descr"><%:Click "Generate archive" to download a tar archive of the current configuration files. To reset the firmware to its initial state, click "Perform reset" (only possible with squashfs images).%></div> <div class="cbi-section-node"> <div class="cbi-value<% if not reset_avail then %> cbi-value-last<% end %>"> @@ -54,7 +56,9 @@ <fieldset class="cbi-section"> <legend><%:Flash new firmware image%></legend> <% if upgrade_avail then %> - <form method="post" action="<%=REQUEST_URI%>" enctype="multipart/form-data"> + <form method="post" action="<%=url('admin/system/flashops')%>" enctype="multipart/form-data"> + <input type="hidden" name="exec" value="1" /> + <input type="hidden" name="token" value="<%=token%>" /> <div class="cbi-section-descr"><%:Upload a sysupgrade-compatible image here to replace the running firmware. Check "Keep settings" to retain the current configuration (requires an OpenWrt compatible firmware image).%></div> <div class="cbi-section-node"> <div class="cbi-value"> diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm index ef9591990..fbb8235ec 100644 --- a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm +++ b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm @@ -46,17 +46,18 @@ end <h2 name="content"><%:Software%></h2> -<form method="post" action="<%=REQUEST_URI%>"> - <div class="cbi-map"> +<div class="cbi-map"> - <ul class="cbi-tabmenu"> - <li class="cbi-tab"><a href="#"><%:Actions%></a></li> - <li class="cbi-tab-disabled"><a href="<%=REQUEST_URI%>/ipkg"><%:Configuration%></a></li> - </ul> - - <fieldset class="cbi-section"> + <ul class="cbi-tabmenu"> + <li class="cbi-tab"><a href="#"><%:Actions%></a></li> + <li class="cbi-tab-disabled"><a href="<%=REQUEST_URI%>/ipkg"><%:Configuration%></a></li> + </ul> + <form method="post" action="<%=REQUEST_URI%>"> + <input type="hidden" name="exec" value="1" /> + <input type="hidden" name="token" value="<%=token%>" /> + <fieldset class="cbi-section"> <fieldset class="cbi-section-node"> <% if (install and next(install)) or (remove and next(remove)) or update or upgrade then %> <div class="cbi-value"> @@ -80,7 +81,7 @@ end <% else %> <%:No package lists available%> <% end %> - <input type="button" onclick="location.href='?update=1'" href="#" class="cbi-button cbi-button-apply" style="margin-left:3em" value="<%:Update lists%>" /> + <input type="submit" name="update" href="#" class="cbi-button cbi-button-apply" style="margin-left:3em" value="<%:Update lists%>" /> </div> <% end %> @@ -101,7 +102,7 @@ end <label class="cbi-value-title"><%:Download and install package%>:</label> <div class="cbi-value-field"> <input type="text" name="url" size="30" value="" /> - <input class="cbi-button cbi-input-save" type="submit" name="submit" value="<%:OK%>" /> + <input class="cbi-button cbi-input-save" type="submit" name="exec" value="<%:OK%>" /> </div> </div> @@ -114,83 +115,98 @@ end </div> </fieldset> </fieldset> - <br /> - - <h3><%:Status%></h3> - - - <ul class="cbi-tabmenu"> - <li class="cbi-tab<% if display ~= "installed" then %>-disabled<% end %>"><a href="?display=installed&query=<%=pcdata(query)%>"><%:Installed packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li> - <li class="cbi-tab<% if display ~= "available" then %>-disabled<% end %>"><a href="?display=available&query=<%=pcdata(query)%>"><%:Available packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li> - </ul> - - <% if display ~= "available" then %> - <fieldset class="cbi-section"> - <table class="cbi-section-table" style="width:100%"> - <tr class="cbi-section-table-titles"> - <th class="cbi-section-table-cell" style="text-align:left"> </th> - <th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th> - <th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th> - </tr> - <% local empty = true; luci.model.ipkg.list_installed(querypat, function(n, v, s, d) empty = false; filter[n] = true %> - <tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>"> - <td style="text-align:left; width:10%"><a onclick="return window.confirm('<%:Remove%> "<%=luci.util.pcdata(n)%>" ?')" href="<%=REQUEST_URI%>?submit=1&remove=<%=luci.util.pcdata(n)%>"><%:Remove%></a></td> - <td style="text-align:left"><%=luci.util.pcdata(n)%></td> - <td style="text-align:left"><%=luci.util.pcdata(v)%></td> - </tr> - <% end) %> - <% if empty then %> - <tr class="cbi-section-table-row"> - <td style="text-align:left"> </td> - <td style="text-align:left"><em><%:none%></em></td> - <td style="text-align:left"><em><%:none%></em></td> - </tr> - <% end %> - </table> - </fieldset> - <% else %> - <fieldset class="cbi-section"> - <% if not querypat then %> - <ul class="cbi-tabmenu"> - <% local i; for i = 65, 90 do %> - <li class="cbi-tab<% if letter ~= i then %>-disabled<% end %>"><a href="?display=available&letter=<%=string.char(i)%>"><%=string.char(i)%></a></li> - <% end %> - <li class="cbi-tab<% if letter ~= 35 then %>-disabled<% end %>"><a href="?display=available&letter=%23">#</a></li> - </ul> - <div class="cbi-section-node"> - <% end %> - <table class="cbi-section-table" style="width:100%"> - <tr class="cbi-section-table-titles"> - <th class="cbi-section-table-cell" style="text-align:left"> </th> - <th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th> - <th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th> - <th class="cbi-section-table-cell" style="text-align:right"><%:Size (.ipk)%></th> - <th class="cbi-section-table-cell" style="text-align:left"><%:Description%></th> - </tr> - <% local empty = true; opkg_list(querypat or letterpat, function(n, v, s, d) if filter[n] then return end; empty = false %> - <tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>"> - <td style="text-align:left; width:10%"><a onclick="return window.confirm('<%:Install%> "<%=luci.util.pcdata(n)%>" ?')" href="<%=REQUEST_URI%>?submit=1&install=<%=luci.util.pcdata(n)%>"><%:Install%></a></td> - <td style="text-align:left"><%=luci.util.pcdata(n)%></td> - <td style="text-align:left"><%=luci.util.pcdata(v)%></td> - <td style="text-align:right"><%=luci.util.pcdata(s)%></td> - <td style="text-align:left"><%=luci.util.pcdata(d)%></td> - </tr> - <% end) %> - <% if empty then %> - <tr class="cbi-section-table-row"> - <td style="text-align:left"> </td> - <td style="text-align:left"><em><%:none%></em></td> - <td style="text-align:left"><em><%:none%></em></td> - <td style="text-align:right"><em><%:none%></em></td> - <td style="text-align:left"><em><%:none%></em></td> - </tr> - <% end %> - </table> - <% if not querypat then %> - </div> - <% end %> - </fieldset> + </form> + + + <h3><%:Status%></h3> + + + <ul class="cbi-tabmenu"> + <li class="cbi-tab<% if display ~= "installed" then %>-disabled<% end %>"><a href="?display=installed&query=<%=pcdata(query)%>"><%:Installed packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li> + <li class="cbi-tab<% if display ~= "available" then %>-disabled<% end %>"><a href="?display=available&query=<%=pcdata(query)%>"><%:Available packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li> + </ul> + + <% if display ~= "available" then %> + <fieldset class="cbi-section"> + <table class="cbi-section-table" style="width:100%"> + <tr class="cbi-section-table-titles"> + <th class="cbi-section-table-cell" style="text-align:left"> </th> + <th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th> + <th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th> + </tr> + <% local empty = true; luci.model.ipkg.list_installed(querypat, function(n, v, s, d) empty = false; filter[n] = true %> + <tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>"> + <td style="text-align:left; width:10%"> + <form method="post" class="inline" action="<%=REQUEST_URI%>"> + <input type="hidden" name="exec" value="1" /> + <input type="hidden" name="token" value="<%=token%>" /> + <input type="hidden" name="remove" value="<%=pcdata(n)%>" /> + <a onclick="window.confirm('<%:Remove%> "<%=luci.util.pcdata(n)%>" ?') && this.parentNode.submit(); return false" href="#"><%:Remove%></a> + </form> + </td> + <td style="text-align:left"><%=luci.util.pcdata(n)%></td> + <td style="text-align:left"><%=luci.util.pcdata(v)%></td> + </tr> + <% end) %> + <% if empty then %> + <tr class="cbi-section-table-row"> + <td style="text-align:left"> </td> + <td style="text-align:left"><em><%:none%></em></td> + <td style="text-align:left"><em><%:none%></em></td> + </tr> + <% end %> + </table> + </fieldset> + <% else %> + <fieldset class="cbi-section"> + <% if not querypat then %> + <ul class="cbi-tabmenu"> + <% local i; for i = 65, 90 do %> + <li class="cbi-tab<% if letter ~= i then %>-disabled<% end %>"><a href="?display=available&letter=<%=string.char(i)%>"><%=string.char(i)%></a></li> + <% end %> + <li class="cbi-tab<% if letter ~= 35 then %>-disabled<% end %>"><a href="?display=available&letter=%23">#</a></li> + </ul> + <div class="cbi-section-node"> + <% end %> + <table class="cbi-section-table" style="width:100%"> + <tr class="cbi-section-table-titles"> + <th class="cbi-section-table-cell" style="text-align:left"> </th> + <th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th> + <th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th> + <th class="cbi-section-table-cell" style="text-align:right"><%:Size (.ipk)%></th> + <th class="cbi-section-table-cell" style="text-align:left"><%:Description%></th> + </tr> + <% local empty = true; opkg_list(querypat or letterpat, function(n, v, s, d) if filter[n] then return end; empty = false %> + <tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>"> + <td style="text-align:left; width:10%"> + <form method="post" class="inline" action="<%=REQUEST_URI%>"> + <input type="hidden" name="exec" value="1" /> + <input type="hidden" name="token" value="<%=token%>" /> + <input type="hidden" name="install" value="<%=pcdata(n)%>" /> + <a onclick="window.confirm('<%:Install%> "<%=luci.util.pcdata(n)%>" ?') && this.parentNode.submit(); return false" href="#"><%:Install%></a> + </form> + </td> + <td style="text-align:left"><%=luci.util.pcdata(n)%></td> + <td style="text-align:left"><%=luci.util.pcdata(v)%></td> + <td style="text-align:right"><%=luci.util.pcdata(s)%></td> + <td style="text-align:left"><%=luci.util.pcdata(d)%></td> + </tr> + <% end) %> + <% if empty then %> + <tr class="cbi-section-table-row"> + <td style="text-align:left"> </td> + <td style="text-align:left"><em><%:none%></em></td> + <td style="text-align:left"><em><%:none%></em></td> + <td style="text-align:right"><em><%:none%></em></td> + <td style="text-align:left"><em><%:none%></em></td> + </tr> + <% end %> + </table> + <% if not querypat then %> + </div> <% end %> - </div> -</form> + </fieldset> + <% end %> +</div> + <%+footer%> |