Age | Commit message (Collapse) | Author |
|
Rewrite affected code to use luci.model.uci in order to avoid the need for
using libuci-lua directly.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
There is no direct user of the libuci-lua api, just some commented out code.
Rewrite the commented code to use the Map's uci cursor and remove the
explicit require.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Properly propagate the config parameter to the foreach iterator in order
to fix get_first() lookups.
Fixes #1734.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
luci-app-advanced-reboot & luci-app-vpnbypass: fix uci require for ma…
|
|
Signed-off-by: Stan Grishin <stangri@melmac.net>
|
|
Prevent various XSS vectors by not interpolating field and path values
verbatim into script and html contexts.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Fixes c0d9c4f3c ("treewide: filter shell arguments through shellquote() where applicable")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Partially fix the fallout from the recent string changes.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
|
|
luci-app-mwan3: fix translation and update defaults
|
|
luci-app-travelmate: bring back cbi element to wifi_add.lua
|
|
* b00b676 fixed the cbi initialization for SimpleForm, therefore bring
back "Ignore BSSID" flag with dependent input field
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
|
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
|
Update hint in the interface page.
Update hint in the policy page.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
|
This fixes issues dicovered by check-controllers.sh
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
This fixes issues dicovered by check-controllers.sh
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
This fixes issues dicovered by check-controllers.sh
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
This fixes issues dicovered by check-controllers.sh
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
This fixes issues dicovered by check-controllers.sh
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
This fixes issues dicovered by check-controllers.sh
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
The main purpose of the script is to check if the module declaration
matches and if associated cbi resources are properly referenced.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Explicitely require libuci-lua in model classes that use legacy /var/state
cursor handling.
Also add a specific dependency on libuci-lua to the luci-app-mwan3
Makefile in preparation of the upcoming default removal of libuci-lua.
Finally fix the post data dispatching on the notification tab, see #1722
for reference.
Fixes #1726.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Introduce a get_state() function which can be used to access legacy
uci state variables. This is usually not needed anymore but some
packages (mainly mwan3) still rely on this.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Make the hint message more explicit to tell users that the prefix size needs
to be specified as well.
Fixes #1559.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
- Use the ubus session.login procedure to authenticate credentials
- Fix testing of allowed usernames
- Support authentication via sysauth cookie
Fixes #1300, #1700, #1711
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Fixes #1725
Fixes 731ed77c0 ("treewide: improve handling of page redirections in uci change views")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Prevent reflected XSS through the reset button by url encoding the
display parameter.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Instead of passing the full LuCI request url, pass the relative resolved
request path instead and filter the received value through the lookup()
dispatcher function to only allow paths to actual internal pages.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
The lookup function takes multiple, possibly malformed path fragments,
splits them on slashes, constructs a temporary path and looks up the
result in the dispatch tree.
If a matching node has been found, the function will return both the
node reference and the canonical url to it.
If no corresponding node is found, the function returns nil.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
luci-app-travelmate: bugfixes
|
|
* use the form() action to invoke the SimpleForm models
* fix 'wifi_add' input form
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
|
Invoke the SimpleForm models using the form() action, not the cbi() ones.
This avoids the extraneous rendering of the cbi header template, avoiding
rejected save operations due to duplicated token value.
Fixes #1722.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
luci-app-travelmate: sync with travelmate 1.2.0
|
|
luci-base/network.lua: fix get_interface function
|
|
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Introduce a new function luci.util.shellquote() which encloses the given
string argument in single quotes and escapes any embedded single quote
characters.
This function is intended to be used when interpolating untrusted input
into shell commands.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while
the dispatcher only required POST for cbi.submit == 1, the CSRF token
protection could be bypassed.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Switch from using the REQUEST_URI CGI variable directly to the canonicalized
FULL_REQUEST_URI property.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Switch from using the REQUEST_URI CGI variable directly to the canonicalized
FULL_REQUEST_URI property.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Switch from using the REQUEST_URI CGI variable directly to the canonicalized
FULL_REQUEST_URI property.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Introduce a new template property FULL_REQUEST_URI which returns the full
canonicalized request URL built from SCRIPT_NAME, PATH_INFO and QUERY_STRING.
This new property is safer to use compared to using the raw REQUEST_URI CGI
environment variable directly as this value is essentially untrusted user
input which may contain embedded escaped slashes, double forward slashes and
other oddities allowing XSS exploitation or request redirection.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Some applications, e.g. dnsmasq, do not allow hostnames starting with an
underscore, therefor extend the existing hostname datatype validator with
a `strict` which disallows a leading underscore.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Switch luci.model.uci to use ubus uci calls instead of driving libuci-lua
directly.
This prepares support for more advanced features such as per-session change
isolation and configuration rollback on errors.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
* remove needless 'automatic' and 'trigger' options plus small fixes
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
|
luci-app-mwan3: fixes and improvments
|
|
Remove the unnecessary 'tracking active' hint from the status interface
page.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|