diff options
Diffstat (limited to 'modules/luci-base/luasrc')
| -rw-r--r-- | modules/luci-base/luasrc/cbi.lua | 87 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/controller/admin/servicectl.lua | 2 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/dispatcher.lua | 45 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/sys/zoneinfo/tzdata.lua | 5 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/sys/zoneinfo/tzoffset.lua | 2 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/view/cbi/apply_xhr.htm | 4 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/view/cbi/browser.htm | 2 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/view/cbi/error.htm | 2 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/view/cbi/header.htm | 1 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/view/cbi/map.htm | 2 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/view/cbi/simpleform.htm | 3 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/view/csrftoken.htm | 24 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/view/error404.htm | 2 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/view/error500.htm | 2 | ||||
| -rw-r--r-- | modules/luci-base/luasrc/view/sysauth.htm | 2 |
15 files changed, 129 insertions, 56 deletions
diff --git a/modules/luci-base/luasrc/cbi.lua b/modules/luci-base/luasrc/cbi.lua index f3d4618b65..a0090958f6 100644 --- a/modules/luci-base/luasrc/cbi.lua +++ b/modules/luci-base/luasrc/cbi.lua @@ -367,63 +367,64 @@ end -- Use optimized UCI writing function Map.parse(self, readinput, ...) - self.readinput = (readinput ~= false) - self:_run_hooks("on_parse") - if self:formvalue("cbi.skip") then self.state = FORM_SKIP + elseif not self.save then + self.state = FORM_INVALID + elseif not self:submitstate() then + self.state = FORM_NODATA + end + + -- Back out early to prevent unauthorized changes on the subsequent parse + if self.state ~= nil then return self:state_handler(self.state) end + self.readinput = (readinput ~= false) + self:_run_hooks("on_parse") + Node.parse(self, ...) - if self.save then - self:_run_hooks("on_save", "on_before_save") + self:_run_hooks("on_save", "on_before_save") + for i, config in ipairs(self.parsechain) do + self.uci:save(config) + end + self:_run_hooks("on_after_save") + if (not self.proceed and self.flow.autoapply) or luci.http.formvalue("cbi.apply") then + self:_run_hooks("on_before_commit") for i, config in ipairs(self.parsechain) do - self.uci:save(config) - end - self:_run_hooks("on_after_save") - if self:submitstate() and ((not self.proceed and self.flow.autoapply) or luci.http.formvalue("cbi.apply")) then - self:_run_hooks("on_before_commit") - for i, config in ipairs(self.parsechain) do - self.uci:commit(config) - - -- Refresh data because commit changes section names - self.uci:load(config) - end - self:_run_hooks("on_commit", "on_after_commit", "on_before_apply") - if self.apply_on_parse then - self.uci:apply(self.parsechain) - self:_run_hooks("on_apply", "on_after_apply") - else - -- This is evaluated by the dispatcher and delegated to the - -- template which in turn fires XHR to perform the actual - -- apply actions. - self.apply_needed = true - end - - -- Reparse sections - Node.parse(self, true) + self.uci:commit(config) + -- Refresh data because commit changes section names + self.uci:load(config) end - for i, config in ipairs(self.parsechain) do - self.uci:unload(config) - end - if type(self.commit_handler) == "function" then - self:commit_handler(self:submitstate()) + self:_run_hooks("on_commit", "on_after_commit", "on_before_apply") + if self.apply_on_parse then + self.uci:apply(self.parsechain) + self:_run_hooks("on_apply", "on_after_apply") + else + -- This is evaluated by the dispatcher and delegated to the + -- template which in turn fires XHR to perform the actual + -- apply actions. + self.apply_needed = true end + + -- Reparse sections + Node.parse(self, true) + end + for i, config in ipairs(self.parsechain) do + self.uci:unload(config) + end + if type(self.commit_handler) == "function" then + self:commit_handler(self:submitstate()) end - if self:submitstate() then - if not self.save then - self.state = FORM_INVALID - elseif self.proceed then - self.state = FORM_PROCEED - else - self.state = self.changed and FORM_CHANGED or FORM_VALID - end + if self.proceed then + self.state = FORM_PROCEED + elseif self.changed then + self.state = FORM_CHANGED else - self.state = FORM_NODATA + self.state = FORM_VALID end return self:state_handler(self.state) diff --git a/modules/luci-base/luasrc/controller/admin/servicectl.lua b/modules/luci-base/luasrc/controller/admin/servicectl.lua index 5b855cb24b..1d73eb4ecc 100644 --- a/modules/luci-base/luasrc/controller/admin/servicectl.lua +++ b/modules/luci-base/luasrc/controller/admin/servicectl.lua @@ -6,7 +6,7 @@ module("luci.controller.admin.servicectl", package.seeall) function index() entry({"servicectl"}, alias("servicectl", "status")).sysauth = "root" entry({"servicectl", "status"}, call("action_status")).leaf = true - entry({"servicectl", "restart"}, call("action_restart")).leaf = true + entry({"servicectl", "restart"}, post("action_restart")).leaf = true end function action_status() diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index 8b8d1fa349..5d9d1b0b1a 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -1,4 +1,5 @@ -- Copyright 2008 Steven Barth <steven@midlink.org> +-- Copyright 2008-2015 Jo-Philipp Wich <jow@openwrt.org> -- Licensed to the public under the Apache License 2.0. local fs = require "nixio.fs" @@ -284,6 +285,8 @@ function dispatch(request) resource = luci.config.main.resourcebase; ifattr = function(...) return _ifattr(...) end; attr = function(...) return _ifattr(true, ...) end; + token = ctx.urltoken.stok; + url = build_url; }, {__index=function(table, key) if key == "controller" then return build_url() @@ -378,6 +381,20 @@ function dispatch(request) end end + if c and type(c.target) == "table" and c.target.post == true then + if http.getenv("REQUEST_METHOD") ~= "POST" then + http.status(405, "Method Not Allowed") + http.header("Allow", "POST") + return + end + + if http.formvalue("token") ~= ctx.urltoken.stok then + http.status(403, "Forbidden") + luci.template.render("csrftoken") + return + end + end + if track.setgroup then sys.process.setgroup(track.setgroup) end @@ -703,6 +720,16 @@ function call(name, ...) return {type = "call", argv = {...}, name = name, target = _call} end +function post(name, ...) + return { + type = "call", + post = true, + argv = { ... }, + name = name, + target = _call + } +end + local _template = function(self, ...) require "luci.template".render(self.view) @@ -717,6 +744,15 @@ local function _cbi(self, ...) local cbi = require "luci.cbi" local tpl = require "luci.template" local http = require "luci.http" + local disp = require "luci.dispatcher" + + if http.formvalue("cbi.submit") == "1" and + http.formvalue("token") ~= disp.context.urltoken.stok + then + http.status(403, "Forbidden") + luci.template.render("csrftoken") + return + end local config = self.config or {} local maps = cbi.load(self.model, ...) @@ -834,6 +870,15 @@ local function _form(self, ...) local cbi = require "luci.cbi" local tpl = require "luci.template" local http = require "luci.http" + local disp = require "luci.dispatcher" + + if http.formvalue("cbi.submit") == "1" and + http.formvalue("token") ~= disp.context.urltoken.stok + then + http.status(403, "Forbidden") + luci.template.render("csrftoken") + return + end local maps = luci.cbi.load(self.model, ...) local state = nil diff --git a/modules/luci-base/luasrc/sys/zoneinfo/tzdata.lua b/modules/luci-base/luasrc/sys/zoneinfo/tzdata.lua index b109c712ec..ff13b1ccd2 100644 --- a/modules/luci-base/luasrc/sys/zoneinfo/tzdata.lua +++ b/modules/luci-base/luasrc/sys/zoneinfo/tzdata.lua @@ -105,6 +105,7 @@ TZ = { { 'America/Edmonton', 'MST7MDT,M3.2.0,M11.1.0' }, { 'America/Eirunepe', 'ACT5' }, { 'America/El Salvador', 'CST6' }, + { 'America/Fort Nelson', 'MST7' }, { 'America/Fortaleza', 'BRT3' }, { 'America/Glace Bay', 'AST4ADT,M3.2.0,M11.1.0' }, { 'America/Godthab', 'WGT3WGST,M3.5.0/-2,M10.5.0/-1' }, @@ -388,7 +389,7 @@ TZ = { { 'Pacific/Efate', 'VUT-11' }, { 'Pacific/Enderbury', 'PHOT-13' }, { 'Pacific/Fakaofo', 'TKT-13' }, - { 'Pacific/Fiji', 'FJT-12FJST,M11.1.0,M1.3.4/75' }, + { 'Pacific/Fiji', 'FJT-12FJST,M11.1.0,M1.3.0/3' }, { 'Pacific/Funafuti', 'TVT-12' }, { 'Pacific/Galapagos', 'GALT6' }, { 'Pacific/Gambier', 'GAMT9' }, @@ -404,7 +405,7 @@ TZ = { { 'Pacific/Midway', 'SST11' }, { 'Pacific/Nauru', 'NRT-12' }, { 'Pacific/Niue', 'NUT11' }, - { 'Pacific/Norfolk', 'NFT-11:30' }, + { 'Pacific/Norfolk', 'NFT-11' }, { 'Pacific/Noumea', 'NCT-11' }, { 'Pacific/Pago Pago', 'SST11' }, { 'Pacific/Palau', 'PWT-9' }, diff --git a/modules/luci-base/luasrc/sys/zoneinfo/tzoffset.lua b/modules/luci-base/luasrc/sys/zoneinfo/tzoffset.lua index f156f3663a..53c8adbc69 100644 --- a/modules/luci-base/luasrc/sys/zoneinfo/tzoffset.lua +++ b/modules/luci-base/luasrc/sys/zoneinfo/tzoffset.lua @@ -152,7 +152,7 @@ OFFSET = { sst = -39600, -- SST nrt = 43200, -- NRT nut = -39600, -- NUT - nft = 41400, -- NFT + nft = 39600, -- NFT nct = 39600, -- NCT pwt = 32400, -- PWT pont = 39600, -- PONT diff --git a/modules/luci-base/luasrc/view/cbi/apply_xhr.htm b/modules/luci-base/luasrc/view/cbi/apply_xhr.htm index 1814c9393b..daa57c1db7 100644 --- a/modules/luci-base/luasrc/view/cbi/apply_xhr.htm +++ b/modules/luci-base/luasrc/view/cbi/apply_xhr.htm @@ -4,10 +4,10 @@ <script type="text/javascript">//<![CDATA[ var apply_xhr = new XHR(); - apply_xhr.get('<%=luci.dispatcher.build_url("servicectl", "restart", table.concat(configs, ","))%>', null, + apply_xhr.post('<%=url('servicectl/restart', table.concat(configs, ","))%>', { token: '<%=token%>' }, function() { var checkfinish = function() { - apply_xhr.get('<%=luci.dispatcher.build_url("servicectl", "status")%>', null, + apply_xhr.get('<%=url('servicectl/status')%>', null, function(x) { if( x.responseText == 'finish' ) { diff --git a/modules/luci-base/luasrc/view/cbi/browser.htm b/modules/luci-base/luasrc/view/cbi/browser.htm index e4a4077d55..a18120141d 100644 --- a/modules/luci-base/luasrc/view/cbi/browser.htm +++ b/modules/luci-base/luasrc/view/cbi/browser.htm @@ -2,6 +2,6 @@ <%+cbi/valueheader%> <input class="cbi-input-text" type="text"<%= attr("value", v) .. attr("name", cbid) .. attr("id", cbid) %> /> <script type="text/javascript"> -cbi_browser_init('<%=cbid%>', '<%=resource%>', '<%=luci.dispatcher.build_url("admin", "filebrowser")%>'<%=self.default_path and ", '"..self.default_path.."'"%>); +cbi_browser_init('<%=cbid%>', '<%=resource%>', '<%=url('admin/filebrowser')%>'<%=self.default_path and ", '"..self.default_path.."'"%>); </script> <%+cbi/valuefooter%> diff --git a/modules/luci-base/luasrc/view/cbi/error.htm b/modules/luci-base/luasrc/view/cbi/error.htm index 2acb96924e..75ec1082aa 100644 --- a/modules/luci-base/luasrc/view/cbi/error.htm +++ b/modules/luci-base/luasrc/view/cbi/error.htm @@ -1,5 +1,5 @@ <div class="cbi-map" id="cbi-<%=self.config%>"> - <% if self.title and #self.title > 0 then %><h2><a id="content" name="content"><%=self.title%></a></h2><% end %> + <% if self.title and #self.title > 0 then %><h2 name="content"><%=self.title%></h2><% end %> <% if self.description and #self.description > 0 then %><div class="cbi-map-descr"><%=self.description%></div><% end %> <p class="alert-message danger"> diff --git a/modules/luci-base/luasrc/view/cbi/header.htm b/modules/luci-base/luasrc/view/cbi/header.htm index 2bddaba61a..302df1d2fd 100644 --- a/modules/luci-base/luasrc/view/cbi/header.htm +++ b/modules/luci-base/luasrc/view/cbi/header.htm @@ -2,6 +2,7 @@ <form method="post" name="cbi" action="<%=REQUEST_URI%>" enctype="multipart/form-data" onreset="return cbi_validate_reset(this)" onsubmit="return cbi_validate_form(this, '<%:Some fields are invalid, cannot save values!%>')"> <div> <script type="text/javascript" src="<%=resource%>/cbi.js"></script> + <input type="hidden" name="token" value="<%=token%>" /> <input type="hidden" name="cbi.submit" value="1" /> <input type="submit" value="<%:Save%>" class="hidden" /> </div> diff --git a/modules/luci-base/luasrc/view/cbi/map.htm b/modules/luci-base/luasrc/view/cbi/map.htm index 053220d185..e90c3f589f 100644 --- a/modules/luci-base/luasrc/view/cbi/map.htm +++ b/modules/luci-base/luasrc/view/cbi/map.htm @@ -5,7 +5,7 @@ <%-+cbi/apply_xhr-%> <div class="cbi-map" id="cbi-<%=self.config%>"> - <% if self.title and #self.title > 0 then %><h2><a id="content" name="content"><%=self.title%></a></h2><% end %> + <% if self.title and #self.title > 0 then %><h2 name="content"><%=self.title%></h2><% end %> <% if self.description and #self.description > 0 then %><div class="cbi-map-descr"><%=self.description%></div><% end %> <%- if firstmap and applymap then cbi_apply_xhr(self.config, parsechain, redirect) end -%> <%- self:render_children() %> diff --git a/modules/luci-base/luasrc/view/cbi/simpleform.htm b/modules/luci-base/luasrc/view/cbi/simpleform.htm index 5216cd50f1..78f5c5a544 100644 --- a/modules/luci-base/luasrc/view/cbi/simpleform.htm +++ b/modules/luci-base/luasrc/view/cbi/simpleform.htm @@ -2,11 +2,12 @@ <form method="post" enctype="multipart/form-data" action="<%=REQUEST_URI%>"> <div> <script type="text/javascript" src="<%=resource%>/cbi.js"></script> + <input type="hidden" name="token" value="<%=token%>" /> <input type="hidden" name="cbi.submit" value="1" /> </div> <% end %> <div class="cbi-map" id="cbi-<%=self.config%>"> - <% if self.title and #self.title > 0 then %><h2><a id="content" name="content"><%=self.title%></a></h2><% end %> + <% if self.title and #self.title > 0 then %><h2 name="content"><%=self.title%></h2><% end %> <% if self.description and #self.description > 0 then %><div class="cbi-map-descr"><%=self.description%></div><% end %> <% self:render_children() %> <br /> diff --git a/modules/luci-base/luasrc/view/csrftoken.htm b/modules/luci-base/luasrc/view/csrftoken.htm new file mode 100644 index 0000000000..57ac03f3bf --- /dev/null +++ b/modules/luci-base/luasrc/view/csrftoken.htm @@ -0,0 +1,24 @@ +<%# + Copyright 2015 Jo-Philipp Wich <jow@openwrt.org> + Licensed to the public under the Apache License 2.0. +-%> + +<%+header%> + +<h2 name="content"><%:Form token mismatch%></h2> +<br /> + +<p class="alert-message"><%:The submitted security token is invalid or already expired!%></p> + +<p><%: + In order to prevent unauthorized access to the system, your request has + been blocked. Click "Continue »" below to return to the previous page. +%></p> + +<hr /> + +<p class="right"> + <strong><a href="#" onclick="window.history.back();">Continue »</a></strong> +</p> + +<%+footer%> diff --git a/modules/luci-base/luasrc/view/error404.htm b/modules/luci-base/luasrc/view/error404.htm index c2be29ed58..bc74226830 100644 --- a/modules/luci-base/luasrc/view/error404.htm +++ b/modules/luci-base/luasrc/view/error404.htm @@ -5,7 +5,7 @@ -%> <%+header%> -<h2><a id="content" name="content">404 <%:Not Found%></a></h2> +<h2 name="content">404 <%:Not Found%></h2> <p><%:Sorry, the object you requested was not found.%></p> <tt><%:Unable to dispatch%>: <%=luci.http.request.env.PATH_INFO%></tt> <%+footer%> diff --git a/modules/luci-base/luasrc/view/error500.htm b/modules/luci-base/luasrc/view/error500.htm index 8fb18ed076..34a52cda84 100644 --- a/modules/luci-base/luasrc/view/error500.htm +++ b/modules/luci-base/luasrc/view/error500.htm @@ -5,7 +5,7 @@ -%> <%+header%> -<h2><a id="content" name="content">500 <%:Internal Server Error%></a></h2> +<h2 name="content">500 <%:Internal Server Error%></h2> <p><%:Sorry, the server encountered an unexpected error.%></p> <pre class="error500"><%=message%></pre> <%+footer%> diff --git a/modules/luci-base/luasrc/view/sysauth.htm b/modules/luci-base/luasrc/view/sysauth.htm index 7f0f0a622b..e207504911 100644 --- a/modules/luci-base/luasrc/view/sysauth.htm +++ b/modules/luci-base/luasrc/view/sysauth.htm @@ -8,7 +8,7 @@ <form method="post" action="<%=pcdata(luci.http.getenv("REQUEST_URI"))%>"> <div class="cbi-map"> - <h2><a id="content" name="content"><%:Authorization Required%></a></h2> + <h2 name="content"><%:Authorization Required%></h2> <div class="cbi-map-descr"> <%:Please enter your username and password.%> <%- if fuser then %> |