summaryrefslogtreecommitdiffhomepage
path: root/modules/luci-mod-admin-full/luasrc/view
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2015-10-20 21:01:41 +0200
committerJo-Philipp Wich <jow@openwrt.org>2015-10-20 21:04:46 +0200
commitb5826f1ffb19288b8bfdc63f4b77700cfabe1181 (patch)
tree2beb4afbfb4cd2719f81bd92d6e27cb4b75879f7 /modules/luci-mod-admin-full/luasrc/view
parent562c47e5fd73bacc314f561592ad1b4ce8b8dc48 (diff)
luci-mod-admin-full: protect clock, flash and opkg ops with submit token
* Use post_on() target to require csrf token verification for modifying actions * Ensure that package and flash operation handlers guard modifying operations with parameter check Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Diffstat (limited to 'modules/luci-mod-admin-full/luasrc/view')
-rw-r--r--modules/luci-mod-admin-full/luasrc/view/admin_system/clock_status.htm4
-rw-r--r--modules/luci-mod-admin-full/luasrc/view/admin_system/flashops.htm10
-rw-r--r--modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm192
3 files changed, 113 insertions, 93 deletions
diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_system/clock_status.htm b/modules/luci-mod-admin-full/luasrc/view/admin_system/clock_status.htm
index 19be072fef..37d8ae0e85 100644
--- a/modules/luci-mod-admin-full/luasrc/view/admin_system/clock_status.htm
+++ b/modules/luci-mod-admin-full/luasrc/view/admin_system/clock_status.htm
@@ -17,8 +17,8 @@
btn.disabled = true;
btn.value = '<%:Synchronizing...%>';
- XHR.get('<%=url('admin/system/clock_status')%>',
- { set: Math.floor((new Date()).getTime() / 1000) },
+ (new XHR()).post('<%=url('admin/system/clock_status')%>',
+ { token: '<%=token%>', set: Math.floor((new Date()).getTime() / 1000) },
function()
{
btn.disabled = false;
diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_system/flashops.htm b/modules/luci-mod-admin-full/luasrc/view/admin_system/flashops.htm
index bc8bcf4884..8bf1992944 100644
--- a/modules/luci-mod-admin-full/luasrc/view/admin_system/flashops.htm
+++ b/modules/luci-mod-admin-full/luasrc/view/admin_system/flashops.htm
@@ -1,6 +1,6 @@
<%#
Copyright 2008 Steven Barth <steven@midlink.org>
- Copyright 2008 Jo-Philipp Wich <jow@openwrt.org>
+ Copyright 2008-2015 Jo-Philipp Wich <jow@openwrt.org>
Licensed to the public under the Apache License 2.0.
-%>
@@ -17,7 +17,9 @@
<fieldset class="cbi-section">
<legend><%:Backup / Restore%></legend>
- <form method="post" action="<%=REQUEST_URI%>" enctype="multipart/form-data">
+ <form method="post" action="<%=url('admin/system/flashops')%>" enctype="multipart/form-data">
+ <input type="hidden" name="exec" value="1" />
+ <input type="hidden" name="token" value="<%=token%>" />
<div class="cbi-section-descr"><%:Click "Generate archive" to download a tar archive of the current configuration files. To reset the firmware to its initial state, click "Perform reset" (only possible with squashfs images).%></div>
<div class="cbi-section-node">
<div class="cbi-value<% if not reset_avail then %> cbi-value-last<% end %>">
@@ -54,7 +56,9 @@
<fieldset class="cbi-section">
<legend><%:Flash new firmware image%></legend>
<% if upgrade_avail then %>
- <form method="post" action="<%=REQUEST_URI%>" enctype="multipart/form-data">
+ <form method="post" action="<%=url('admin/system/flashops')%>" enctype="multipart/form-data">
+ <input type="hidden" name="exec" value="1" />
+ <input type="hidden" name="token" value="<%=token%>" />
<div class="cbi-section-descr"><%:Upload a sysupgrade-compatible image here to replace the running firmware. Check "Keep settings" to retain the current configuration (requires an OpenWrt compatible firmware image).%></div>
<div class="cbi-section-node">
<div class="cbi-value">
diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
index ef9591990f..fbb8235ec2 100644
--- a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
+++ b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
@@ -46,17 +46,18 @@ end
<h2 name="content"><%:Software%></h2>
-<form method="post" action="<%=REQUEST_URI%>">
- <div class="cbi-map">
+<div class="cbi-map">
- <ul class="cbi-tabmenu">
- <li class="cbi-tab"><a href="#"><%:Actions%></a></li>
- <li class="cbi-tab-disabled"><a href="<%=REQUEST_URI%>/ipkg"><%:Configuration%></a></li>
- </ul>
-
- <fieldset class="cbi-section">
+ <ul class="cbi-tabmenu">
+ <li class="cbi-tab"><a href="#"><%:Actions%></a></li>
+ <li class="cbi-tab-disabled"><a href="<%=REQUEST_URI%>/ipkg"><%:Configuration%></a></li>
+ </ul>
+ <form method="post" action="<%=REQUEST_URI%>">
+ <input type="hidden" name="exec" value="1" />
+ <input type="hidden" name="token" value="<%=token%>" />
+ <fieldset class="cbi-section">
<fieldset class="cbi-section-node">
<% if (install and next(install)) or (remove and next(remove)) or update or upgrade then %>
<div class="cbi-value">
@@ -80,7 +81,7 @@ end
<% else %>
<%:No package lists available%>
<% end %>
- <input type="button" onclick="location.href='?update=1'" href="#" class="cbi-button cbi-button-apply" style="margin-left:3em" value="<%:Update lists%>" />
+ <input type="submit" name="update" href="#" class="cbi-button cbi-button-apply" style="margin-left:3em" value="<%:Update lists%>" />
</div>
<% end %>
@@ -101,7 +102,7 @@ end
<label class="cbi-value-title"><%:Download and install package%>:</label>
<div class="cbi-value-field">
<input type="text" name="url" size="30" value="" />
- <input class="cbi-button cbi-input-save" type="submit" name="submit" value="<%:OK%>" />
+ <input class="cbi-button cbi-input-save" type="submit" name="exec" value="<%:OK%>" />
</div>
</div>
@@ -114,83 +115,98 @@ end
</div>
</fieldset>
</fieldset>
- <br />
-
- <h3><%:Status%></h3>
-
-
- <ul class="cbi-tabmenu">
- <li class="cbi-tab<% if display ~= "installed" then %>-disabled<% end %>"><a href="?display=installed&amp;query=<%=pcdata(query)%>"><%:Installed packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li>
- <li class="cbi-tab<% if display ~= "available" then %>-disabled<% end %>"><a href="?display=available&amp;query=<%=pcdata(query)%>"><%:Available packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li>
- </ul>
-
- <% if display ~= "available" then %>
- <fieldset class="cbi-section">
- <table class="cbi-section-table" style="width:100%">
- <tr class="cbi-section-table-titles">
- <th class="cbi-section-table-cell" style="text-align:left">&#160;</th>
- <th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th>
- <th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th>
- </tr>
- <% local empty = true; luci.model.ipkg.list_installed(querypat, function(n, v, s, d) empty = false; filter[n] = true %>
- <tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
- <td style="text-align:left; width:10%"><a onclick="return window.confirm('<%:Remove%> &quot;<%=luci.util.pcdata(n)%>&quot; ?')" href="<%=REQUEST_URI%>?submit=1&amp;remove=<%=luci.util.pcdata(n)%>"><%:Remove%></a></td>
- <td style="text-align:left"><%=luci.util.pcdata(n)%></td>
- <td style="text-align:left"><%=luci.util.pcdata(v)%></td>
- </tr>
- <% end) %>
- <% if empty then %>
- <tr class="cbi-section-table-row">
- <td style="text-align:left">&#160;</td>
- <td style="text-align:left"><em><%:none%></em></td>
- <td style="text-align:left"><em><%:none%></em></td>
- </tr>
- <% end %>
- </table>
- </fieldset>
- <% else %>
- <fieldset class="cbi-section">
- <% if not querypat then %>
- <ul class="cbi-tabmenu">
- <% local i; for i = 65, 90 do %>
- <li class="cbi-tab<% if letter ~= i then %>-disabled<% end %>"><a href="?display=available&amp;letter=<%=string.char(i)%>"><%=string.char(i)%></a></li>
- <% end %>
- <li class="cbi-tab<% if letter ~= 35 then %>-disabled<% end %>"><a href="?display=available&amp;letter=%23">#</a></li>
- </ul>
- <div class="cbi-section-node">
- <% end %>
- <table class="cbi-section-table" style="width:100%">
- <tr class="cbi-section-table-titles">
- <th class="cbi-section-table-cell" style="text-align:left">&#160;</th>
- <th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th>
- <th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th>
- <th class="cbi-section-table-cell" style="text-align:right"><%:Size (.ipk)%></th>
- <th class="cbi-section-table-cell" style="text-align:left"><%:Description%></th>
- </tr>
- <% local empty = true; opkg_list(querypat or letterpat, function(n, v, s, d) if filter[n] then return end; empty = false %>
- <tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
- <td style="text-align:left; width:10%"><a onclick="return window.confirm('<%:Install%> &quot;<%=luci.util.pcdata(n)%>&quot; ?')" href="<%=REQUEST_URI%>?submit=1&amp;install=<%=luci.util.pcdata(n)%>"><%:Install%></a></td>
- <td style="text-align:left"><%=luci.util.pcdata(n)%></td>
- <td style="text-align:left"><%=luci.util.pcdata(v)%></td>
- <td style="text-align:right"><%=luci.util.pcdata(s)%></td>
- <td style="text-align:left"><%=luci.util.pcdata(d)%></td>
- </tr>
- <% end) %>
- <% if empty then %>
- <tr class="cbi-section-table-row">
- <td style="text-align:left">&#160;</td>
- <td style="text-align:left"><em><%:none%></em></td>
- <td style="text-align:left"><em><%:none%></em></td>
- <td style="text-align:right"><em><%:none%></em></td>
- <td style="text-align:left"><em><%:none%></em></td>
- </tr>
- <% end %>
- </table>
- <% if not querypat then %>
- </div>
- <% end %>
- </fieldset>
+ </form>
+
+
+ <h3><%:Status%></h3>
+
+
+ <ul class="cbi-tabmenu">
+ <li class="cbi-tab<% if display ~= "installed" then %>-disabled<% end %>"><a href="?display=installed&amp;query=<%=pcdata(query)%>"><%:Installed packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li>
+ <li class="cbi-tab<% if display ~= "available" then %>-disabled<% end %>"><a href="?display=available&amp;query=<%=pcdata(query)%>"><%:Available packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li>
+ </ul>
+
+ <% if display ~= "available" then %>
+ <fieldset class="cbi-section">
+ <table class="cbi-section-table" style="width:100%">
+ <tr class="cbi-section-table-titles">
+ <th class="cbi-section-table-cell" style="text-align:left">&#160;</th>
+ <th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th>
+ <th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th>
+ </tr>
+ <% local empty = true; luci.model.ipkg.list_installed(querypat, function(n, v, s, d) empty = false; filter[n] = true %>
+ <tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
+ <td style="text-align:left; width:10%">
+ <form method="post" class="inline" action="<%=REQUEST_URI%>">
+ <input type="hidden" name="exec" value="1" />
+ <input type="hidden" name="token" value="<%=token%>" />
+ <input type="hidden" name="remove" value="<%=pcdata(n)%>" />
+ <a onclick="window.confirm('<%:Remove%> &quot;<%=luci.util.pcdata(n)%>&quot; ?') && this.parentNode.submit(); return false" href="#"><%:Remove%></a>
+ </form>
+ </td>
+ <td style="text-align:left"><%=luci.util.pcdata(n)%></td>
+ <td style="text-align:left"><%=luci.util.pcdata(v)%></td>
+ </tr>
+ <% end) %>
+ <% if empty then %>
+ <tr class="cbi-section-table-row">
+ <td style="text-align:left">&#160;</td>
+ <td style="text-align:left"><em><%:none%></em></td>
+ <td style="text-align:left"><em><%:none%></em></td>
+ </tr>
+ <% end %>
+ </table>
+ </fieldset>
+ <% else %>
+ <fieldset class="cbi-section">
+ <% if not querypat then %>
+ <ul class="cbi-tabmenu">
+ <% local i; for i = 65, 90 do %>
+ <li class="cbi-tab<% if letter ~= i then %>-disabled<% end %>"><a href="?display=available&amp;letter=<%=string.char(i)%>"><%=string.char(i)%></a></li>
+ <% end %>
+ <li class="cbi-tab<% if letter ~= 35 then %>-disabled<% end %>"><a href="?display=available&amp;letter=%23">#</a></li>
+ </ul>
+ <div class="cbi-section-node">
+ <% end %>
+ <table class="cbi-section-table" style="width:100%">
+ <tr class="cbi-section-table-titles">
+ <th class="cbi-section-table-cell" style="text-align:left">&#160;</th>
+ <th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th>
+ <th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th>
+ <th class="cbi-section-table-cell" style="text-align:right"><%:Size (.ipk)%></th>
+ <th class="cbi-section-table-cell" style="text-align:left"><%:Description%></th>
+ </tr>
+ <% local empty = true; opkg_list(querypat or letterpat, function(n, v, s, d) if filter[n] then return end; empty = false %>
+ <tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
+ <td style="text-align:left; width:10%">
+ <form method="post" class="inline" action="<%=REQUEST_URI%>">
+ <input type="hidden" name="exec" value="1" />
+ <input type="hidden" name="token" value="<%=token%>" />
+ <input type="hidden" name="install" value="<%=pcdata(n)%>" />
+ <a onclick="window.confirm('<%:Install%> &quot;<%=luci.util.pcdata(n)%>&quot; ?') && this.parentNode.submit(); return false" href="#"><%:Install%></a>
+ </form>
+ </td>
+ <td style="text-align:left"><%=luci.util.pcdata(n)%></td>
+ <td style="text-align:left"><%=luci.util.pcdata(v)%></td>
+ <td style="text-align:right"><%=luci.util.pcdata(s)%></td>
+ <td style="text-align:left"><%=luci.util.pcdata(d)%></td>
+ </tr>
+ <% end) %>
+ <% if empty then %>
+ <tr class="cbi-section-table-row">
+ <td style="text-align:left">&#160;</td>
+ <td style="text-align:left"><em><%:none%></em></td>
+ <td style="text-align:left"><em><%:none%></em></td>
+ <td style="text-align:right"><em><%:none%></em></td>
+ <td style="text-align:left"><em><%:none%></em></td>
+ </tr>
+ <% end %>
+ </table>
+ <% if not querypat then %>
+ </div>
<% end %>
- </div>
-</form>
+ </fieldset>
+ <% end %>
+</div>
+
<%+footer%>