summaryrefslogtreecommitdiffhomepage
path: root/modules/luci-base/luasrc
AgeCommit message (Collapse)Author
2018-04-05treewide: filter shell arguments through shellquote() where applicableJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: introduce luci.util.shellquote()Jo-Philipp Wich
Introduce a new function luci.util.shellquote() which encloses the given string argument in single quotes and escapes any embedded single quote characters. This function is intended to be used when interpolating untrusted input into shell commands. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: fix possible shell injection in luci.tools.status.switch_status()Jo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: dispatcher: reject non-POST requests with any cbi.submit valueJo-Philipp Wich
Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while the dispatcher only required POST for cbi.submit == 1, the CSRF token protection could be bypassed. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: use FULL_REQUEST_URI on login form templatesJo-Philipp Wich
Switch from using the REQUEST_URI CGI variable directly to the canonicalized FULL_REQUEST_URI property. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: add FULL_REQUEST_URI template propertyJo-Philipp Wich
Introduce a new template property FULL_REQUEST_URI which returns the full canonicalized request URL built from SCRIPT_NAME, PATH_INFO and QUERY_STRING. This new property is safer to use compared to using the raw REQUEST_URI CGI environment variable directly as this value is essentially untrusted user input which may contain embedded escaped slashes, double forward slashes and other oddities allowing XSS exploitation or request redirection. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: add a strict flag to the hostname validatorJo-Philipp Wich
Some applications, e.g. dnsmasq, do not allow hostnames starting with an underscore, therefor extend the existing hostname datatype validator with a `strict` which disallows a leading underscore. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: switch to ubus uci operationsJo-Philipp Wich
Switch luci.model.uci to use ubus uci calls instead of driving libuci-lua directly. This prepares support for more advanced features such as per-session change isolation and configuration rollback on errors. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-31luci-base/network.lua: fix get_interface functionDirk Brenken
* fix wrong private function call to handle section id as parameter (fix for #1687) Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-03-27luci-base: fix colspans calculation in tblsectionFlorian Eckert
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-03-22luci-base/util.lua: enhance checklib functionDirk Brenken
* enhance the checklib function in util.lua to check the 'fullpathexe' as well, e.g. this fixes runtime errors on the dhcp/dns template in environments without dnsmasq Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-03-15Merge pull request #1654 from TDT-AG/pr/20180301-luci-several-fixesJo-Philipp Wich
luci-app-firewall/luci-base/luci-mod-admin-full: some fixes and improvements
2018-03-12treewide: unify mac address handlingJo-Philipp Wich
Use the new luci.ip MAC address facilities to parse and verify MAC addresses in a common way, instead of relying on various ad-hoc solutions. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-12luci-base: fix documentation spelling mistakes in luci.http.protocolJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-12luci-base: fix documentation spelling mistakes in luci.utilJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-11luci-base: fix parsing of ethers(5)Jo-Philipp Wich
The /etc/ethers file may contain any number of white space characters between the mac address and the IP/hostname field, so extend the pattern to allow for that. Man ethers(5) also states that the IP field may be a symbolic hostname, so test whether the name is an IP address or hostname before adding it to the hints structure. Fixes #1674. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-09Merge pull request #1675 from dibdot/material-fixHannu Nyman
luci-base/firewall_zonelist: fix visual interface/background alignment
2018-03-09luci-base/firewall_zonelist: fix visual interface/background alignmentDirk Brenken
* fix for #1667, tested with all standard themes Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-03-02luci-base: properly handle undefined IPv6 local-address informationJo-Philipp Wich
If IPv6 prefix assignment is disabled, the "local-address" structure might exist, but be empty which causes the adress formatting in the network model class to bail out. Verify the completeness of the "local-address" structure before using it in order to avoid runtime errors. Fixes #1657. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-02luci-base, luci-mod-admin-full: store backup vars in luci configurationJo-Philipp Wich
Keep the ifname and bridge state backup variables in /etc/config/luci to not pollute /etc/config/network. Fixes #1655. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-01luci-base: fix browser.htm templateFlorian Eckert
If cbi_init() is not called first browser gif will not be found. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-02-16luci-base: do not assume a fixed host address in delegated prefix (#1484)Jo-Philipp Wich
OpenWrt/LEDE introduced the "local-address" field a while back to expose the effective local host address of the delegated prefix, so use that information instead of assuming `[prefix]:1`. Fixes #1484. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-02-16luci-base: fix Lua-side ip6hostid() datatype validationJo-Philipp Wich
A valid host ID as accepted by netifd must meet the following criteria: - Is either one of the two special "random" or "eui64" strings - Or is a valid IPv6 address according to inet_pton(AF_INET6) - Has the first 64 bit set to zero Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-02-02timezone data: update to 2018cHannu Nyman
Update timezone data to 2018c http://mm.icann.org/pipermail/tz-announce/2018-January/000048.html Briefly: Sao Tome and Príncipe switched from +00 to +01. Brazil's DST will now start on November's first Sunday. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2018-01-17luci-base: log login attemptsJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-03luci-base: fix luci.sys.wifi.getiwinfo() on radio namesJo-Philipp Wich
Fall back to using a phy-wide iwinfo handle if the vif query yields no result. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-02luci-base: reorder private functionsJo-Philipp Wich
The _wifi_sid_by_ifname() function depends on _wifi_state_by_ifname() so reorder the private helper functions accordingly to avoid nil value call attempts. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-02luci-base: rework wireless state handling (#1179)Jo-Philipp Wich
- fix mapping of ubus wireless state to uci declared vifs - fix leaking foreign vif info into per-phy iwinfo stats Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-11-11timezone data: update to 2017cHannu Nyman
Update timezone data to 2017c http://mm.icann.org/pipermail/tz-announce/2017-October/000047.html Briefly: Northern Cyprus switches from +03 to +02/+03 on 2017-10-29. Fiji ends DST 2018-01-14, not 2018-01-21. Namibia switches from +01/+02 to +02 on 2018-04-01. Sudan switches from +03 to +02 on 2017-11-01. Tonga likely switches from +13/+14 to +13 on 2017-11-05. Turks & Caicos switches from -04 to -05/-04 on 2018-11-04. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2017-10-29Fix typos in luci-base/luasrc/http/protocol.luaFelix Yan
2017-10-17luci-base: gracefully handle broken firewall forwarding sectionsJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-09-02http: add random security headersJo-Philipp Wich
Fixes #1343. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-08-22luci-base: datatypes: add cidr, ipnet validator typeYousong Zhou
- Rewrite ipmask to use these subtypes - Add ip{4,6}prefix validators to cbi.js Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-08-13luci-base: improve language detectionJo-Philipp Wich
Properly deal with client accept languages containing a culture identifier such as "zh-CN" or "pt-BR". Fixes #1226. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-07-28luci-base: let luci.sys.net.devices() return all netdevsJo-Philipp Wich
The previous implementation of the function only returned ethernet interfaces because it relied on the AF_PACKET family entries returned by getifaddrs(). Change the function to simply collect all interface names it sees in order to avoid missing tunnel interfaces. Fixes FS#917. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-07-11luci-base: properly handle authentication without authenticatorJo-Philipp Wich
Some controller actions like the ones in "servicectl" require authentication but are not meant to provide an authenticator because they're only invoked by scripts. Rework the dispatcher logic to handle this situation and only bail out if an authenticator name other than "htmlauth" is set. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-07-11luci-base: use rpcd-mod-rrdns for reverse DNS lookupsJo-Philipp Wich
Drop the individual calls to nixio.getnameinfo() in luci.sys.net and rely on the "network.rrdns.lookup" ubus call instead to fetch domain information within a guaranteed timeout. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-07-11luci-base: drop unused functions in luci.sysJo-Philipp Wich
Drop a number of redundant functions from luci.sys to shrink the code a bit: * luci.sys.net.arptable() - replaced by luci.ip.neighbors() * luci.sys.net.routes() - replaced by luci.ip.routes() * luci.sys.net.routes6() - replaced by luci.ip.routes6() * luci.sys.net.deviceinfo() - replaced by nixio.getaddrinfo() * luci.sys.net.pingtest() - no known user Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-07-09luci-base: use rpcd session loginsJo-Philipp Wich
Drop the custom credentials checking in favor to perform proper session logins via rpcd. This is needed to properly setup ACLs when spawning rpcd sessions in order to support direct client side ubus access in the future. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-21luci-base: support ip6ifaceid option for proto_staticHannu Nyman
Add support for 'ip6ifaceid' option for proto_static in LuCI. Information about the option: The option is optional and defaults to '::1'. Allowed values: 'eui64', 'random', fixed value like '::1' or '::1:2' When IPv6 prefix (like 'a:b:c:d::') is received from a delegating server, the ip6ifaceid suffix (like '::1') is used to form the IPv6 address ('a:b:c:d::1') for the interface. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2017-05-08luci-base: add Etc/GMT timezonesHannu Nyman
Add Etc/GMT timezones like GMT+5 Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2017-05-06luci-base: luci.dispatcher: allow overriding sysauth templateJo-Philipp Wich
In some cases it is useful to be able to override the template used for the sysauth login dialog. Add a new property "sysauth_template" which allows overriding the template name from controller files. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-04-10timezone data: update to 2017bHannu Nyman
Update timezone data to 2017b. http://mm.icann.org/pipermail/tz-announce/2017-February/000045.html http://mm.icann.org/pipermail/tz-announce/2017-March/000046.html Key changes in 2017a-2017b: * Mongolia no longer observes DST. * Chile's Region of Magallanes moves from -04/-03 to -03 year-round. * Switch to numeric time zone abbreviations for South America, as part of the ongoing project of removing invented abbreviations. * Haiti resumed observance of DST in 2017. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2017-02-28treewide: cleanup references to madwifi from LuCIHannu Nyman
Remove the code related to the deprecated madwifi driver. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2017-02-27luci-proto-wireguard: add support for fwmark optiondanrl
Adds support for the fwmark option. FwMark is a 32-bit fwmark for outgoing packets. If set to 0 or "off", this option is disabled. Signed-off-by: Dan Luedtke <mail@danrl.com>
2017-02-15luci-base: added dhcpv6 datatypesdanrl
Signed-off-by: Dan Luedtke <mail@danrl.com>
2017-02-09luci-base: add hexstring datatypeHannu Nyman
Add datatype 'hexstring' for input validaiton datatypes. It will accept any hexadecimal string. (no length validation, as rangelength can be used for that.) Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2017-02-07Merge pull request #965 from cshore-firmware/pull-request-odhcpd-macDaniel Dickinson
base: status: For odhpcd leases display MAC formatted with colons
2017-01-30luci-base: fix logic errors in ipmask4 and ipmask6 datatype validatorsJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-01-28mod-admin-full: Add IPv6 Prefix Delegation information to Status PagesCody R. Brown
The Overview page and Network>Interfaces page currently do not give much information about IPv6, particularly with Prefix Delegated setups. In these setups, ISP will delegate a prefix to the router. Currently LuCI doesn't display this Prefix Delegation from the ISP anywhere. A number of changes was added to this commit: 1) self:_ubus("ipv6-prefix") was extracted and put into protocol.ip6prefix. 2) Network>Interfaces page, if a .ip6prefix is present, show it under Status. (IPv6-PD). 3) On the Overview page, "Type" and "Prefix Delegated" has been added to the IPv6 Network Overview Status: - Type will display the .proto, similar to the IPv4 case. If a .ip6prefix is present, it'll display a "-pd" at the end of the Type: i.e. dhcpv6-pd vs. dhcpv6. - If no .ip6prefix is present, it'll do what it does currently, and just show Address, or :: if no address is present. - If .ip6prefix is present, it'll show the "Prefix Delegated", it'll also hide "Address" if no address is present, else it'll show ifc6.ip6addr as well. Signed-off-by: Cody R. Brown <dev@codybrown.ca>