summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2018-04-06luci-mod-admin-full: dispatch SimpleForm models using the form() actionJo-Philipp Wich
This fixes issues dicovered by check-controllers.sh Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-mod-freifunk: dispatch SimpleForm model using the form() actionJo-Philipp Wich
This fixes issues dicovered by check-controllers.sh Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-app-dnscrypt-proxy: dispatch SimpleForm models using the form() actionJo-Philipp Wich
This fixes issues dicovered by check-controllers.sh Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-app-wol: dispatch SimpleForm model using the form() actionJo-Philipp Wich
This fixes issues dicovered by check-controllers.sh Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-app-firewall: dispatch SimpleForm model using the form() actionJo-Philipp Wich
This fixes issues dicovered by check-controllers.sh Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-app-unbound: dispatch SimpleForm models using the form() actionJo-Philipp Wich
This fixes issues dicovered by check-controllers.sh Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-base: emit a warning if cbi() delegates a SimpleForm instanceJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06build: add check-controller.sh, a utility to test controller filesJo-Philipp Wich
The main purpose of the script is to check if the module declaration matches and if associated cbi resources are properly referenced. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-app-mwan3: fix legacy uci api usageJo-Philipp Wich
Explicitely require libuci-lua in model classes that use legacy /var/state cursor handling. Also add a specific dependency on libuci-lua to the luci-app-mwan3 Makefile in preparation of the upcoming default removal of libuci-lua. Finally fix the post data dispatching on the notification tab, see #1722 for reference. Fixes #1726. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-base: implement luci.model.uci.get_state()Jo-Philipp Wich
Introduce a get_state() function which can be used to access legacy uci state variables. This is usually not needed anymore but some packages (mainly mwan3) still rely on this. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-proto-ipv6: clarify 6in4 local address hintJo-Philipp Wich
Make the hint message more explicit to tell users that the prefix size needs to be specified as well. Fixes #1559. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-mod-rpc: rework authentication and session handlingJo-Philipp Wich
- Use the ubus session.login procedure to authenticate credentials - Fix testing of allowed usernames - Support authentication via sysauth cookie Fixes #1300, #1700, #1711 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-mod-admin-full: fix request path access in uci controllerJo-Philipp Wich
Fixes #1725 Fixes 731ed77c0 ("treewide: improve handling of page redirections in uci change views") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-mod-admin-full: escape display parameterJo-Philipp Wich
Prevent reflected XSS through the reset button by url encoding the display parameter. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05treewide: improve handling of page redirections in uci change viewsJo-Philipp Wich
Instead of passing the full LuCI request url, pass the relative resolved request path instead and filter the received value through the lookup() dispatcher function to only allow paths to actual internal pages. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: introduce luci.dispatcher.lookup()Jo-Philipp Wich
The lookup function takes multiple, possibly malformed path fragments, splits them on slashes, constructs a temporary path and looks up the result in the dispatch tree. If a matching node has been found, the function will return both the node reference and the canonical url to it. If no corresponding node is found, the function returns nil. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05Merge pull request #1723 from dibdot/travelmateDirk Brenken
luci-app-travelmate: bugfixes
2018-04-05luci-app-travelmate: bugfixesDirk Brenken
* use the form() action to invoke the SimpleForm models * fix 'wifi_add' input form Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-04-05luci-app-adblock: fix SimpleForm page delegationJo-Philipp Wich
Invoke the SimpleForm models using the form() action, not the cbi() ones. This avoids the extraneous rendering of the cbi header template, avoiding rejected save operations due to duplicated token value. Fixes #1722. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05Merge pull request #1718 from dibdot/travelmateDirk Brenken
luci-app-travelmate: sync with travelmate 1.2.0
2018-04-05Merge pull request #1709 from dibdot/get_interface-fixJo-Philipp Wich
luci-base/network.lua: fix get_interface function
2018-04-05treewide: filter shell arguments through shellquote() where applicableJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: introduce luci.util.shellquote()Jo-Philipp Wich
Introduce a new function luci.util.shellquote() which encloses the given string argument in single quotes and escapes any embedded single quote characters. This function is intended to be used when interpolating untrusted input into shell commands. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-mod-admin-full: fix possible shell injection in bandwith statusJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: fix possible shell injection in luci.tools.status.switch_status()Jo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: dispatcher: reject non-POST requests with any cbi.submit valueJo-Philipp Wich
Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while the dispatcher only required POST for cbi.submit == 1, the CSRF token protection could be bypassed. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-app-freifunk-diagnostics: use FULL_REQUEST_URIJo-Philipp Wich
Switch from using the REQUEST_URI CGI variable directly to the canonicalized FULL_REQUEST_URI property. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-app-commands: use FULL_REQUEST_URIJo-Philipp Wich
Switch from using the REQUEST_URI CGI variable directly to the canonicalized FULL_REQUEST_URI property. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: use FULL_REQUEST_URI on login form templatesJo-Philipp Wich
Switch from using the REQUEST_URI CGI variable directly to the canonicalized FULL_REQUEST_URI property. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: add FULL_REQUEST_URI template propertyJo-Philipp Wich
Introduce a new template property FULL_REQUEST_URI which returns the full canonicalized request URL built from SCRIPT_NAME, PATH_INFO and QUERY_STRING. This new property is safer to use compared to using the raw REQUEST_URI CGI environment variable directly as this value is essentially untrusted user input which may contain embedded escaped slashes, double forward slashes and other oddities allowing XSS exploitation or request redirection. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-mod-admin-full: use strict hostname validation for dhcp hostsJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: add a strict flag to the hostname validatorJo-Philipp Wich
Some applications, e.g. dnsmasq, do not allow hostnames starting with an underscore, therefor extend the existing hostname datatype validator with a `strict` which disallows a leading underscore. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: switch to ubus uci operationsJo-Philipp Wich
Switch luci.model.uci to use ubus uci calls instead of driving libuci-lua directly. This prepares support for more advanced features such as per-session change isolation and configuration rollback on errors. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-app-travelmate: sync with travelmate 1.2.0Dirk Brenken
* remove needless 'automatic' and 'trigger' options plus small fixes Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-04-03Merge pull request #1715 from TDT-AG/pr/20180403-luci-app-mwan3-updateHannu Nyman
luci-app-mwan3: fixes and improvments
2018-04-03luci-app-mwan3: remove unnecessary 'tracking active' hintFlorian Eckert
Remove the unnecessary 'tracking active' hint from the status interface page. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-04-03luci-app-mwan3: remove diag-rc-legend field idFlorian Eckert
On the material theme the "Collecting data" hint in the status pages was still present on the page even though the command was sucessfull executed. Remove the legend tag and move the info "Collecting data" to the "diag-rc-output" tag will solve this issue. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-04-03luci-app-mwan3: calculate max interface usage from mmx_mask valueFlorian Eckert
Show max interface value on interface page dependent on the mmx_mask value Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-04-02luci-base: zh_CN: update Simplified Chinese translationQian Zheng
Signed-off-by: Qian Zheng <sotux82@gmail.com>
2018-03-31luci-base/network.lua: fix get_interface functionDirk Brenken
* fix wrong private function call to handle section id as parameter (fix for #1687) Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-03-29Merge pull request #1706 from musashino205/l10n/tmate-upd-jaHannu Nyman
luci-app-travelmate: update Japanese translation
2018-03-29luci-app-travelmate: update Japanese translationINAGAKI Hiroshi
Updated Japanese translations. Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2018-03-29i18n: sync translationsINAGAKI Hiroshi
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2018-03-28Merge pull request #1703 from dibdot/travelmateDirk Brenken
luci-app-travelmate: made "ignore bssid" flag conditional
2018-03-28Merge pull request #1704 from TDT-AG/pr/20180328-luci-app-mwan3-fixesDirk Brenken
luci-app-mwan3: fix syntax error and update notify page
2018-03-28luci-app-mwan3: update notify infoFlorian Eckert
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-03-28luci-app-mwan3: fix strict XHTML syntax errorFlorian Eckert
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-03-28luci-app-travelmate: made "ignore bssid" flag conditionalDirk Brenken
* made the "ignore bssid" flag conditional to ease connection to hidden networks: * default for hidden networks "disabled" * default for all others "enabled" Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-03-27Merge pull request #1697 from TDT-AG/pr/20180323-luci-base-fix-tblsectionDirk Brenken
luci-base: add missing colspan in tblsection if table is empty
2018-03-27luci-base: fix colspans calculation in tblsectionFlorian Eckert
Signed-off-by: Florian Eckert <fe@dev.tdt.de>