summaryrefslogtreecommitdiffhomepage
path: root/modules
diff options
context:
space:
mode:
authorJo-Philipp Wich <jo@mein.io>2018-04-04 23:24:31 +0200
committerJo-Philipp Wich <jo@mein.io>2018-04-04 23:24:31 +0200
commit8c617c02b5de93c51c896d58b2496b29b2d2c5bd (patch)
tree5851a82ba7058d2d2e14c7e813db3b29eee2f16f /modules
parent94ea9077076d98374a331131fb7c9fc57df370a6 (diff)
luci-base: add FULL_REQUEST_URI template property
Introduce a new template property FULL_REQUEST_URI which returns the full canonicalized request URL built from SCRIPT_NAME, PATH_INFO and QUERY_STRING. This new property is safer to use compared to using the raw REQUEST_URI CGI environment variable directly as this value is essentially untrusted user input which may contain embedded escaped slashes, double forward slashes and other oddities allowing XSS exploitation or request redirection. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'modules')
-rw-r--r--modules/luci-base/luasrc/dispatcher.lua12
1 files changed, 10 insertions, 2 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 16b32548e6..24681368d7 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -346,15 +346,23 @@ function dispatch(request)
ifattr = function(...) return _ifattr(...) end;
attr = function(...) return _ifattr(true, ...) end;
url = build_url;
- }, {__index=function(table, key)
+ }, {__index=function(tbl, key)
if key == "controller" then
return build_url()
elseif key == "REQUEST_URI" then
return build_url(unpack(ctx.requestpath))
+ elseif key == "FULL_REQUEST_URI" then
+ local url = { http.getenv("SCRIPT_NAME"), http.getenv("PATH_INFO") }
+ local query = http.getenv("QUERY_STRING")
+ if query and #query > 0 then
+ url[#url+1] = "?"
+ url[#url+1] = query
+ end
+ return table.concat(url, "")
elseif key == "token" then
return ctx.authtoken
else
- return rawget(table, key) or _G[key]
+ return rawget(tbl, key) or _G[key]
end
end})
end