summaryrefslogtreecommitdiffhomepage
path: root/modules/luci-base/luasrc
AgeCommit message (Collapse)Author
2018-04-26luci-base: add simple CORS handling to luci.dispatcherJo-Philipp Wich
Support a new boolean property `cors` which - if set to true - causes the dispatcher to positively answer CORS OPTIONS requests after authentication without actually running the dispatching target. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-26luci-base: handle bodies of non-POST requests as wellJo-Philipp Wich
Decode the HTTP message bodies of any request carrying a Content-Length header, not just those in POST requests. This allows handling parameters in other methods, OPTIONS in particular. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-24luci-base: additionally return error code strings in luci.util.ubus()Jo-Philipp Wich
Add a 3rd return value to luci.util.ubus() containing the string value of the error return value. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-24luci-base: ensure that file upload values have lengthJo-Philipp Wich
Ensure that the (table) length of a file upload value has nonzero length by initializing the first table index with the file name. This fixes tests in the form x = luci.http.formvalue(...) if x and #x > 0 then ... end Fixes #1763. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-22luci-base: decode plus signs in x-www-form-urlencoded POST dataJo-Philipp Wich
Depends on 5ef51b2ab ("lucihttp: update to latest HEAD"). Fixes #1755. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-19luci-base: properly handle repeated POST parametersJo-Philipp Wich
Restore the old luci.http behaviour of converting repeated POST params into single tables holding all values instead of letting each repeated parameter overwrite the value of the preceeding one. Fixes, among other things, the handling of CBI dynamic list values. Fixes #1752 Fixes 59dea0230 ("luci-base: switch to lucihttp based POST data processing") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-19luci-base: implement session handling in luci.model.uciJo-Philipp Wich
Introduce luci.model.uci.set_session_id() and luci.model.uci.get_session_id() to set and get the effective session ID respectively. When a session ID is set, it is sent as `ubus_rpc_session` attribute to rpcd, causing it to use per-session change directories, isolating LuCI changes from the global system uci state. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-18libs: move http.protocol.{date,mime,conditionals} to luci-lib-httpprotoutilsJo-Philipp Wich
Also adjust the dependencies of components depending on these classes and flatten the namespace from luci.http.protocol.* to luci.http.* Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-18luci-base: fold luci.http.protocol into luci.httpJo-Philipp Wich
With only the decoder routines remaining in luci.http.protocol, it makes no sense to keep the low level protocol class around, so fold the remaining code into the central luci.http class. Also adjust the few direct users of luci.http.protocol accordingly. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-18luci-base: refactor luci.httpJo-Philipp Wich
- Rewrite getcookie() to use liblucihttp header value parsing - Rewrite setfilehandler() to use local variables and have cleaner code - Fix build_querystring() to actually *en*code the given params Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-18luci-base: drop luci.util.dtable()Jo-Philipp Wich
The dtable() function has no user in the entire LuCI repo, so drop it. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-18luci-base: switch to lucihttp based POST data processingJo-Philipp Wich
Use the liblucihttp provided multipart and x-www-urlencoded body parsers and drop the old Lua parsing code. The C based data parsers are way faster than their old Lua counterparts while producing less string garbage and more correct results. While refactoring the luci.http.protocol code, also drop unused functions and dead code, heavily reducing the module size. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-18luci-base: switch to lucihttp.urldecode() and lucihttp.urlencode()Jo-Philipp Wich
Drop the Lua implementation in luci.http.protocol and use the optimized C variants of liblucihttp instead. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-10luci-base: fix rendering of 404 HTML error templateJo-Philipp Wich
This 404 error template rendering has been broken for a long time due to bad function environment level in luci.template when invoking the rendering from the toplevel dispatcher context. Fix this issue by adding a local function indirection, essentially adding an additional stack frame. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-10luci-base: error404: do not access request env directlyJo-Philipp Wich
Instead of attempting to access the request environment directly (which does not work anyway using the CGI SGI), use the already sanitized dispatcher.context.request property to print out the not found url. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-10luci-base: don't propagate null bytes in path informationJo-Philipp Wich
It is possible to inject unescaped markup using a double encoded null byte via PATH_INFO on certain leaf nodes. Since there is no legitimate reason to handle null bytes in any part of the requested url, simply skip over such bytes when parsing the PATH_INFO value. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-09luci-base: consider empty parameters as well when testing POST requirementJo-Philipp Wich
The cbi class will react on an empty "cbi.submit" parameter as well so we must intercept GET requests using that too. Fixes 186e690c0 ("luci-base: dispatcher: reject non-POST requests with any cbi.submit value") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-07timezone data: update to 2018dHannu Nyman
Update timezone data to 2018d http://mm.icann.org/pipermail/tz-announce/2018-March/000049.html In 2018, Palestine starts DST on March 24, not March 31. Adjust future predictions accordingly. Casey Station in Antarctica changed from +11 to +08 Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2018-04-07luci-base: fix luci.model.uci.get_first()Jo-Philipp Wich
Properly propagate the config parameter to the foreach iterator in order to fix get_first() lookups. Fixes #1734. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-07luci-base: escape path strings and field parameterJo-Philipp Wich
Prevent various XSS vectors by not interpolating field and path values verbatim into script and html contexts. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-base: properly initialize cbi.js on SimpleFormsJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-base: emit a warning if cbi() delegates a SimpleForm instanceJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-06luci-base: implement luci.model.uci.get_state()Jo-Philipp Wich
Introduce a get_state() function which can be used to access legacy uci state variables. This is usually not needed anymore but some packages (mainly mwan3) still rely on this. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: introduce luci.dispatcher.lookup()Jo-Philipp Wich
The lookup function takes multiple, possibly malformed path fragments, splits them on slashes, constructs a temporary path and looks up the result in the dispatch tree. If a matching node has been found, the function will return both the node reference and the canonical url to it. If no corresponding node is found, the function returns nil. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05Merge pull request #1709 from dibdot/get_interface-fixJo-Philipp Wich
luci-base/network.lua: fix get_interface function
2018-04-05treewide: filter shell arguments through shellquote() where applicableJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: introduce luci.util.shellquote()Jo-Philipp Wich
Introduce a new function luci.util.shellquote() which encloses the given string argument in single quotes and escapes any embedded single quote characters. This function is intended to be used when interpolating untrusted input into shell commands. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: fix possible shell injection in luci.tools.status.switch_status()Jo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: dispatcher: reject non-POST requests with any cbi.submit valueJo-Philipp Wich
Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while the dispatcher only required POST for cbi.submit == 1, the CSRF token protection could be bypassed. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: use FULL_REQUEST_URI on login form templatesJo-Philipp Wich
Switch from using the REQUEST_URI CGI variable directly to the canonicalized FULL_REQUEST_URI property. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: add FULL_REQUEST_URI template propertyJo-Philipp Wich
Introduce a new template property FULL_REQUEST_URI which returns the full canonicalized request URL built from SCRIPT_NAME, PATH_INFO and QUERY_STRING. This new property is safer to use compared to using the raw REQUEST_URI CGI environment variable directly as this value is essentially untrusted user input which may contain embedded escaped slashes, double forward slashes and other oddities allowing XSS exploitation or request redirection. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: add a strict flag to the hostname validatorJo-Philipp Wich
Some applications, e.g. dnsmasq, do not allow hostnames starting with an underscore, therefor extend the existing hostname datatype validator with a `strict` which disallows a leading underscore. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: switch to ubus uci operationsJo-Philipp Wich
Switch luci.model.uci to use ubus uci calls instead of driving libuci-lua directly. This prepares support for more advanced features such as per-session change isolation and configuration rollback on errors. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-31luci-base/network.lua: fix get_interface functionDirk Brenken
* fix wrong private function call to handle section id as parameter (fix for #1687) Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-03-27luci-base: fix colspans calculation in tblsectionFlorian Eckert
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-03-22luci-base/util.lua: enhance checklib functionDirk Brenken
* enhance the checklib function in util.lua to check the 'fullpathexe' as well, e.g. this fixes runtime errors on the dhcp/dns template in environments without dnsmasq Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-03-15Merge pull request #1654 from TDT-AG/pr/20180301-luci-several-fixesJo-Philipp Wich
luci-app-firewall/luci-base/luci-mod-admin-full: some fixes and improvements
2018-03-12treewide: unify mac address handlingJo-Philipp Wich
Use the new luci.ip MAC address facilities to parse and verify MAC addresses in a common way, instead of relying on various ad-hoc solutions. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-12luci-base: fix documentation spelling mistakes in luci.http.protocolJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-12luci-base: fix documentation spelling mistakes in luci.utilJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-11luci-base: fix parsing of ethers(5)Jo-Philipp Wich
The /etc/ethers file may contain any number of white space characters between the mac address and the IP/hostname field, so extend the pattern to allow for that. Man ethers(5) also states that the IP field may be a symbolic hostname, so test whether the name is an IP address or hostname before adding it to the hints structure. Fixes #1674. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-09Merge pull request #1675 from dibdot/material-fixHannu Nyman
luci-base/firewall_zonelist: fix visual interface/background alignment
2018-03-09luci-base/firewall_zonelist: fix visual interface/background alignmentDirk Brenken
* fix for #1667, tested with all standard themes Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-03-02luci-base: properly handle undefined IPv6 local-address informationJo-Philipp Wich
If IPv6 prefix assignment is disabled, the "local-address" structure might exist, but be empty which causes the adress formatting in the network model class to bail out. Verify the completeness of the "local-address" structure before using it in order to avoid runtime errors. Fixes #1657. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-02luci-base, luci-mod-admin-full: store backup vars in luci configurationJo-Philipp Wich
Keep the ifname and bridge state backup variables in /etc/config/luci to not pollute /etc/config/network. Fixes #1655. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-01luci-base: fix browser.htm templateFlorian Eckert
If cbi_init() is not called first browser gif will not be found. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-02-16luci-base: do not assume a fixed host address in delegated prefix (#1484)Jo-Philipp Wich
OpenWrt/LEDE introduced the "local-address" field a while back to expose the effective local host address of the delegated prefix, so use that information instead of assuming `[prefix]:1`. Fixes #1484. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-02-16luci-base: fix Lua-side ip6hostid() datatype validationJo-Philipp Wich
A valid host ID as accepted by netifd must meet the following criteria: - Is either one of the two special "random" or "eui64" strings - Or is a valid IPv6 address according to inet_pton(AF_INET6) - Has the first 64 bit set to zero Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-02-02timezone data: update to 2018cHannu Nyman
Update timezone data to 2018c http://mm.icann.org/pipermail/tz-announce/2018-January/000048.html Briefly: Sao Tome and Príncipe switched from +00 to +01. Brazil's DST will now start on November's first Sunday. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2018-01-17luci-base: log login attemptsJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>