summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2018-04-10luci-base: don't propagate null bytes in path informationJo-Philipp Wich
It is possible to inject unescaped markup using a double encoded null byte via PATH_INFO on certain leaf nodes. Since there is no legitimate reason to handle null bytes in any part of the requested url, simply skip over such bytes when parsing the PATH_INFO value. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-10luci-base: add urldecode() and urlencode() C implementationsJo-Philipp Wich
The C implementations of urlencode and urldecode are considerably faster than their current Lua counterparts. On an AMD Geode system, the C variant is up to ten times faster when decoding strings and up to four times faster when encoding them. The functions are also designed to only allocate new strings when any actual changes are required, otherwise they reuse the existing input strings, reducing the overal memory usage somewhat. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-09luci-mod-admin-full: limit dns cachesize to 10000Marc Benoit
The value of cachesize is hardcoded to 10000 in dnsmasq-2.79/src/option.c to 10000 max case 'c': /* --cache-size */ { int size; if (!atoi_check(arg, &size)) ret_err(gen_err); else { /* zero is OK, and means no caching. */ if (size < 0) size = 0; else if (size > 10000) size = 10000; daemon->cachesize = size; } break; } Tested on Netgear R7800 Signed-off-by: Marc Benoit <marcb62185@gmail.com>
2018-04-09Merge pull request #1741 from dibdot/mwan-fixHannu Nyman
luci-app-mwan3: bugfix
2018-04-09luci-mod-admin-full: allow setting dns cachesizeMarc Benoit
In the case of more powerful routers the default cachesize value == 150 is too small and can easily be extended to 1,000's and 10,000's of entries. It makes sense to make it easy configurable. Tested on Netgear R7800 Signed-off-by: Marc Benoit <marcb62185@gmail.com> Fix whitespace, edit the proposed help text. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2018-04-09luci-app-mwan3: bugfixDirk Brenken
* make use of luci.model.uci to fix #1740 Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-04-09luci-base: consider empty parameters as well when testing POST requirementJo-Philipp Wich
The cbi class will react on an empty "cbi.submit" parameter as well so we must intercept GET requests using that too. Fixes 186e690c0 ("luci-base: dispatcher: reject non-POST requests with any cbi.submit value") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-08i18n: sync translationsHannu Nyman
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2018-04-07timezone data: update to 2018dHannu Nyman
Update timezone data to 2018d http://mm.icann.org/pipermail/tz-announce/2018-March/000049.html In 2018, Palestine starts DST on March 24, not March 31. Adjust future predictions accordingly. Casey Station in Antarctica changed from +11 to +08 Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2018-04-07luci-app-advanced-reboot: remove explicit libuci requirementJo-Philipp Wich
Rewrite affected code to use luci.model.uci in order to avoid the need for using libuci-lua directly. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-07luci-app-vpnbypass: remove explicit libuci requirementJo-Philipp Wich
There is no direct user of the libuci-lua api, just some commented out code. Rewrite the commented code to use the Map's uci cursor and remove the explicit require. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-07luci-base: fix luci.model.uci.get_first()Jo-Philipp Wich
Properly propagate the config parameter to the foreach iterator in order to fix get_first() lookups. Fixes #1734. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-07Merge pull request #1733 from stangri/masterHannu Nyman
luci-app-advanced-reboot & luci-app-vpnbypass: fix uci require for ma…
2018-04-07luci-app-advanced-reboot & luci-app-vpnbypass: fix uci require for masterStan Grishin
Signed-off-by: Stan Grishin <stangri@melmac.net>
2018-04-07luci-base: escape path strings and field parameterJo-Philipp Wich
Prevent various XSS vectors by not interpolating field and path values verbatim into script and html contexts. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-app-openvpn: quote grep expression in getPID()Jo-Philipp Wich
Fixes c0d9c4f3c ("treewide: filter shell arguments through shellquote() where applicable") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-app-mwan: fix translation falloutHannu Nyman
Partially fix the fallout from the recent string changes. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2018-04-06Merge pull request #1727 from TDT-AG/pr/20180406-luci-app-mwan3-changesHannu Nyman
luci-app-mwan3: fix translation and update defaults
2018-04-06Merge pull request #1730 from dibdot/travelmateDirk Brenken
luci-app-travelmate: bring back cbi element to wifi_add.lua
2018-04-06luci-app-travelmate: bring back cbi element to wifi_add.luaDirk Brenken
* b00b676 fixed the cbi initialization for SimpleForm, therefore bring back "Ignore BSSID" flag with dependent input field Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-04-06luci-base: properly initialize cbi.js on SimpleFormsJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-app-mwan3: show default values in interface page if config is not foundFlorian Eckert
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-04-06luci-app-mwan3: update translationsFlorian Eckert
Update hint in the interface page. Update hint in the policy page. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-04-06luci-mod-admin-full: dispatch SimpleForm models using the form() actionJo-Philipp Wich
This fixes issues dicovered by check-controllers.sh Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-mod-freifunk: dispatch SimpleForm model using the form() actionJo-Philipp Wich
This fixes issues dicovered by check-controllers.sh Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-app-dnscrypt-proxy: dispatch SimpleForm models using the form() actionJo-Philipp Wich
This fixes issues dicovered by check-controllers.sh Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-app-wol: dispatch SimpleForm model using the form() actionJo-Philipp Wich
This fixes issues dicovered by check-controllers.sh Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-app-firewall: dispatch SimpleForm model using the form() actionJo-Philipp Wich
This fixes issues dicovered by check-controllers.sh Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-app-unbound: dispatch SimpleForm models using the form() actionJo-Philipp Wich
This fixes issues dicovered by check-controllers.sh Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-base: emit a warning if cbi() delegates a SimpleForm instanceJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06build: add check-controller.sh, a utility to test controller filesJo-Philipp Wich
The main purpose of the script is to check if the module declaration matches and if associated cbi resources are properly referenced. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-app-mwan3: fix legacy uci api usageJo-Philipp Wich
Explicitely require libuci-lua in model classes that use legacy /var/state cursor handling. Also add a specific dependency on libuci-lua to the luci-app-mwan3 Makefile in preparation of the upcoming default removal of libuci-lua. Finally fix the post data dispatching on the notification tab, see #1722 for reference. Fixes #1726. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-base: implement luci.model.uci.get_state()Jo-Philipp Wich
Introduce a get_state() function which can be used to access legacy uci state variables. This is usually not needed anymore but some packages (mainly mwan3) still rely on this. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-proto-ipv6: clarify 6in4 local address hintJo-Philipp Wich
Make the hint message more explicit to tell users that the prefix size needs to be specified as well. Fixes #1559. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-mod-rpc: rework authentication and session handlingJo-Philipp Wich
- Use the ubus session.login procedure to authenticate credentials - Fix testing of allowed usernames - Support authentication via sysauth cookie Fixes #1300, #1700, #1711 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-mod-admin-full: fix request path access in uci controllerJo-Philipp Wich
Fixes #1725 Fixes 731ed77c0 ("treewide: improve handling of page redirections in uci change views") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-mod-admin-full: escape display parameterJo-Philipp Wich
Prevent reflected XSS through the reset button by url encoding the display parameter. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05treewide: improve handling of page redirections in uci change viewsJo-Philipp Wich
Instead of passing the full LuCI request url, pass the relative resolved request path instead and filter the received value through the lookup() dispatcher function to only allow paths to actual internal pages. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: introduce luci.dispatcher.lookup()Jo-Philipp Wich
The lookup function takes multiple, possibly malformed path fragments, splits them on slashes, constructs a temporary path and looks up the result in the dispatch tree. If a matching node has been found, the function will return both the node reference and the canonical url to it. If no corresponding node is found, the function returns nil. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05Merge pull request #1723 from dibdot/travelmateDirk Brenken
luci-app-travelmate: bugfixes
2018-04-05luci-app-travelmate: bugfixesDirk Brenken
* use the form() action to invoke the SimpleForm models * fix 'wifi_add' input form Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-04-05luci-app-adblock: fix SimpleForm page delegationJo-Philipp Wich
Invoke the SimpleForm models using the form() action, not the cbi() ones. This avoids the extraneous rendering of the cbi header template, avoiding rejected save operations due to duplicated token value. Fixes #1722. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05Merge pull request #1718 from dibdot/travelmateDirk Brenken
luci-app-travelmate: sync with travelmate 1.2.0
2018-04-05Merge pull request #1709 from dibdot/get_interface-fixJo-Philipp Wich
luci-base/network.lua: fix get_interface function
2018-04-05treewide: filter shell arguments through shellquote() where applicableJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: introduce luci.util.shellquote()Jo-Philipp Wich
Introduce a new function luci.util.shellquote() which encloses the given string argument in single quotes and escapes any embedded single quote characters. This function is intended to be used when interpolating untrusted input into shell commands. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-mod-admin-full: fix possible shell injection in bandwith statusJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: fix possible shell injection in luci.tools.status.switch_status()Jo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: dispatcher: reject non-POST requests with any cbi.submit valueJo-Philipp Wich
Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while the dispatcher only required POST for cbi.submit == 1, the CSRF token protection could be bypassed. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-app-freifunk-diagnostics: use FULL_REQUEST_URIJo-Philipp Wich
Switch from using the REQUEST_URI CGI variable directly to the canonicalized FULL_REQUEST_URI property. Signed-off-by: Jo-Philipp Wich <jo@mein.io>