diff options
author | Jo-Philipp Wich <jo@mein.io> | 2018-04-04 23:24:31 +0200 |
---|---|---|
committer | Jo-Philipp Wich <jo@mein.io> | 2018-04-04 23:24:31 +0200 |
commit | 8c617c02b5de93c51c896d58b2496b29b2d2c5bd (patch) | |
tree | 5851a82ba7058d2d2e14c7e813db3b29eee2f16f /modules | |
parent | 94ea9077076d98374a331131fb7c9fc57df370a6 (diff) |
luci-base: add FULL_REQUEST_URI template property
Introduce a new template property FULL_REQUEST_URI which returns the full
canonicalized request URL built from SCRIPT_NAME, PATH_INFO and QUERY_STRING.
This new property is safer to use compared to using the raw REQUEST_URI CGI
environment variable directly as this value is essentially untrusted user
input which may contain embedded escaped slashes, double forward slashes and
other oddities allowing XSS exploitation or request redirection.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'modules')
-rw-r--r-- | modules/luci-base/luasrc/dispatcher.lua | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index 16b32548e6..24681368d7 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -346,15 +346,23 @@ function dispatch(request) ifattr = function(...) return _ifattr(...) end; attr = function(...) return _ifattr(true, ...) end; url = build_url; - }, {__index=function(table, key) + }, {__index=function(tbl, key) if key == "controller" then return build_url() elseif key == "REQUEST_URI" then return build_url(unpack(ctx.requestpath)) + elseif key == "FULL_REQUEST_URI" then + local url = { http.getenv("SCRIPT_NAME"), http.getenv("PATH_INFO") } + local query = http.getenv("QUERY_STRING") + if query and #query > 0 then + url[#url+1] = "?" + url[#url+1] = query + end + return table.concat(url, "") elseif key == "token" then return ctx.authtoken else - return rawget(table, key) or _G[key] + return rawget(tbl, key) or _G[key] end end}) end |