summaryrefslogtreecommitdiffhomepage
path: root/modules
AgeCommit message (Collapse)Author
2018-04-05treewide: filter shell arguments through shellquote() where applicableJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: introduce luci.util.shellquote()Jo-Philipp Wich
Introduce a new function luci.util.shellquote() which encloses the given string argument in single quotes and escapes any embedded single quote characters. This function is intended to be used when interpolating untrusted input into shell commands. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-mod-admin-full: fix possible shell injection in bandwith statusJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: fix possible shell injection in luci.tools.status.switch_status()Jo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05luci-base: dispatcher: reject non-POST requests with any cbi.submit valueJo-Philipp Wich
Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while the dispatcher only required POST for cbi.submit == 1, the CSRF token protection could be bypassed. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: use FULL_REQUEST_URI on login form templatesJo-Philipp Wich
Switch from using the REQUEST_URI CGI variable directly to the canonicalized FULL_REQUEST_URI property. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: add FULL_REQUEST_URI template propertyJo-Philipp Wich
Introduce a new template property FULL_REQUEST_URI which returns the full canonicalized request URL built from SCRIPT_NAME, PATH_INFO and QUERY_STRING. This new property is safer to use compared to using the raw REQUEST_URI CGI environment variable directly as this value is essentially untrusted user input which may contain embedded escaped slashes, double forward slashes and other oddities allowing XSS exploitation or request redirection. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-mod-admin-full: use strict hostname validation for dhcp hostsJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: add a strict flag to the hostname validatorJo-Philipp Wich
Some applications, e.g. dnsmasq, do not allow hostnames starting with an underscore, therefor extend the existing hostname datatype validator with a `strict` which disallows a leading underscore. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04luci-base: switch to ubus uci operationsJo-Philipp Wich
Switch luci.model.uci to use ubus uci calls instead of driving libuci-lua directly. This prepares support for more advanced features such as per-session change isolation and configuration rollback on errors. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-02luci-base: zh_CN: update Simplified Chinese translationQian Zheng
Signed-off-by: Qian Zheng <sotux82@gmail.com>
2018-03-29i18n: sync translationsINAGAKI Hiroshi
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2018-03-27luci-base: fix colspans calculation in tblsectionFlorian Eckert
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-03-22luci-base/util.lua: enhance checklib functionDirk Brenken
* enhance the checklib function in util.lua to check the 'fullpathexe' as well, e.g. this fixes runtime errors on the dhcp/dns template in environments without dnsmasq Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-03-15Merge pull request #1654 from TDT-AG/pr/20180301-luci-several-fixesJo-Philipp Wich
luci-app-firewall/luci-base/luci-mod-admin-full: some fixes and improvements
2018-03-12treewide: unify mac address handlingJo-Philipp Wich
Use the new luci.ip MAC address facilities to parse and verify MAC addresses in a common way, instead of relying on various ad-hoc solutions. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-12luci-base: fix documentation spelling mistakes in luci.http.protocolJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-12luci-base: fix documentation spelling mistakes in luci.utilJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-11luci-base: fix parsing of ethers(5)Jo-Philipp Wich
The /etc/ethers file may contain any number of white space characters between the mac address and the IP/hostname field, so extend the pattern to allow for that. Man ethers(5) also states that the IP field may be a symbolic hostname, so test whether the name is an IP address or hostname before adding it to the hints structure. Fixes #1674. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-09Merge pull request #1675 from dibdot/material-fixHannu Nyman
luci-base/firewall_zonelist: fix visual interface/background alignment
2018-03-09luci-base/firewall_zonelist: fix visual interface/background alignmentDirk Brenken
* fix for #1667, tested with all standard themes Signed-off-by: Dirk Brenken <dev@brenken.org>
2018-03-02luci-base: properly handle undefined IPv6 local-address informationJo-Philipp Wich
If IPv6 prefix assignment is disabled, the "local-address" structure might exist, but be empty which causes the adress formatting in the network model class to bail out. Verify the completeness of the "local-address" structure before using it in order to avoid runtime errors. Fixes #1657. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-02luci-base, luci-mod-admin-full: store backup vars in luci configurationJo-Philipp Wich
Keep the ifname and bridge state backup variables in /etc/config/luci to not pollute /etc/config/network. Fixes #1655. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-03-01luci-mod-admin-full: add hint on backup restoreFlorian Eckert
Add a hint to backup restore that files could remain on the system. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-03-01luci-base: fix browser.htm templateFlorian Eckert
If cbi_init() is not called first browser gif will not be found. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-02-16luci-base: do not assume a fixed host address in delegated prefix (#1484)Jo-Philipp Wich
OpenWrt/LEDE introduced the "local-address" field a while back to expose the effective local host address of the delegated prefix, so use that information instead of assuming `[prefix]:1`. Fixes #1484. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-02-16luci-base: rework client side IP validation types and support "hostid" typeJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-02-16luci-base: fix Lua-side ip6hostid() datatype validationJo-Philipp Wich
A valid host ID as accepted by netifd must meet the following criteria: - Is either one of the two special "random" or "eui64" strings - Or is a valid IPv6 address according to inet_pton(AF_INET6) - Has the first 64 bit set to zero Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-02-08Merge pull request #1627 from user7887/luci-ruHannu Nyman
i18n-ru: fixed russian translation
2018-02-07i18n-ru: fixed russian translationVladimir
Signed-off-by: Vladimir <picfun@ya.ru>
2018-02-04luci-mod-admin-full: prevent unknown sysctl key warnings on status pageJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-02-02timezone data: update to 2018cHannu Nyman
Update timezone data to 2018c http://mm.icann.org/pipermail/tz-announce/2018-January/000048.html Briefly: Sao Tome and Príncipe switched from +00 to +01. Brazil's DST will now start on November's first Sunday. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2018-01-30i18n-ru: fixed and updated russian translationVladimir
Signed-off-by: Vladimir <picfun@ya.ru>
2018-01-29i18n-ru: fixed and updated russian translationVladimir
Signed-off-by: Vladimir <picfun@ya.ru>
2018-01-26i18n-ru: fixed and updated russian translationVladimir
Signed-off-by: Vladimir <picfun@ya.ru>
2018-01-23i18n-ru: fixed simple-adblock strin&rus translationVladimir
Signed-off-by: Vladimir <picfun@ya.ru> refine refine
2018-01-21i18n-ru: fixed russian translationVladimir
Signed-off-by: Vladimir <picfun@ya.ru>
2018-01-20i18n-sync base.po changesVladimir
Signed-off-by: Vladimir <picfun@ya.ru>
2018-01-20i18n-ru: Edits on the general pattern of Russian translationVladimir
Signed-off-by: Vladimir <picfun@ya.ru>
2018-01-20luci-mod-admin-full: fix typos on dhcp pageHannu Nyman
Based on #1568 Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2018-01-17luci-base: log login attemptsJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-16i18n-sync change, added project info...Vladimir
Signed-off-by: Vladimir <picfun@ya.ru>
2018-01-16luci-base: zh_CN: update Simplified Chinese translationQian Zheng
Signed-off-by: Qian Zheng <sotux82@gmail.com>
2018-01-14added project info, were reviewed in graphical mode, ready for a stable releaseVladimir
Signed-off-by: Vladimir <picfun@ya.ru>
2018-01-13luci-mod-admin-full: set 0 db DSL SNR offset by defaultMathias Kresin
If no DSL SNR offset is set for the dsl line the first entry from the dropdown list is pre-selected by default, which would apply a -10 db offset by default. Pre-select the 0 db option if nothing else is specified in the uci config files. Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-01-12fixed russian translationVladimir
Signed-off-by: Vladimir <picfun@ya.ru>
2018-01-12fixed and updated russian translationVladimir
Signed-off-by: Vladimir <picfun@ya.ru>
2018-01-11fixed russian translationVladimir
Signed-off-by: Vladimir <picfun@ya.ru>
2018-01-11Correction by script i18n-sync.sh with editing of Russian translationVladimir
Signed-off-by: Vladimir <picfun@ya.ru>
2018-01-11fixed and updated russian translationVladimir
Signed-off-by: Vladimir <picfun@ya.ru>