| Age | Commit message (Collapse) | Author |
|---|
|
Support a new boolean property `cors` which - if set to true - causes the
dispatcher to positively answer CORS OPTIONS requests after authentication
without actually running the dispatching target.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
This 404 error template rendering has been broken for a long time due to bad
function environment level in luci.template when invoking the rendering from
the toplevel dispatcher context.
Fix this issue by adding a local function indirection, essentially adding an
additional stack frame.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
It is possible to inject unescaped markup using a double encoded null byte
via PATH_INFO on certain leaf nodes.
Since there is no legitimate reason to handle null bytes in any part of the
requested url, simply skip over such bytes when parsing the PATH_INFO value.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
The cbi class will react on an empty "cbi.submit" parameter as well so we
must intercept GET requests using that too.
Fixes 186e690c0 ("luci-base: dispatcher: reject non-POST requests with any cbi.submit value")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
The lookup function takes multiple, possibly malformed path fragments,
splits them on slashes, constructs a temporary path and looks up the
result in the dispatch tree.
If a matching node has been found, the function will return both the
node reference and the canonical url to it.
If no corresponding node is found, the function returns nil.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while
the dispatcher only required POST for cbi.submit == 1, the CSRF token
protection could be bypassed.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Introduce a new template property FULL_REQUEST_URI which returns the full
canonicalized request URL built from SCRIPT_NAME, PATH_INFO and QUERY_STRING.
This new property is safer to use compared to using the raw REQUEST_URI CGI
environment variable directly as this value is essentially untrusted user
input which may contain embedded escaped slashes, double forward slashes and
other oddities allowing XSS exploitation or request redirection.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Properly deal with client accept languages containing a culture identifier
such as "zh-CN" or "pt-BR".
Fixes #1226.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Some controller actions like the ones in "servicectl" require authentication
but are not meant to provide an authenticator because they're only invoked
by scripts.
Rework the dispatcher logic to handle this situation and only bail out if
an authenticator name other than "htmlauth" is set.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Drop the custom credentials checking in favor to perform proper session
logins via rpcd. This is needed to properly setup ACLs when spawning
rpcd sessions in order to support direct client side ubus access in the
future.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
In some cases it is useful to be able to override the template used for the
sysauth login dialog.
Add a new property "sysauth_template" which allows overriding the template
name from controller files.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Fall back to default language if "auto" is configured, but none provided by
the browser matches.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Fix links to point into Github repo instead of luci.subsignal.org
- the hint to file a bug in dispatcher
- footers of Bootstrap and Firefunk themes
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
|
|
Instead of relying on the connect-before-setuid hack, ship a proper
acl definition file whitelisting the procedures that LuCI requires
on its non-root pages.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Allows external code to perform POST and token checking manually.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Now that we don't have an url token anymore, '/cgi-bin/luci' becomes a valid
url while cookies are restricted to only '/cgi-bin/luci/' and below.
In order to ensure that the first request after login refers to a path
covered by the authentication cookie, change build_url() to always append
a trailing slash if we're referring to the base url.
This should fix the login problems mentioned in #516.
While we're touching the dispatcher, also remove remaining url token code.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Now that sensitive urls require post requests and only accept them if a valid
security token is sent along the request, we can drop the global random url
token to improve LuCI usability.
The main improvement is the ability to use multiple tabs with the same login
session, but also deep linking to specific urls without the need for another
login becomes feasible, e.g. for documentation purposes.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
* Add a generic helper function to check need for post / csrf token validation
* Remove custom token verification in cbi targets
* Support requiring post security depending on specific submit parameters,
usable through post_on() action
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Add the dispatcher infrastructure to restrict certain routes to POST
requests only in conjunction with verification of CSRF tokens.
This is the first step to get rid of the CSRF token in the url in favor
to tokens embedded in forms.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Redirect to the canonical url after login and redirect to an url without
security token if the session expired. Also make sure that the login page
is served with status code 403, not 200 to give ajax calls a chance to
detect expired sessions.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Remove luci.sauth session storage implementation and offload the session
management to the rpcd ubus backend. Also depend on rpcd due to this.
|
|
* Rename subdirectories to their repective OpenWrt package names
* Make each LuCI module its own standalone package
* Deploy a shared luci.mk which is used by each module Makefile
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
