From b5826f1ffb19288b8bfdc63f4b77700cfabe1181 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jow@openwrt.org>
Date: Tue, 20 Oct 2015 21:01:41 +0200
Subject: luci-mod-admin-full: protect clock, flash and opkg ops with submit
 token

* Use post_on() target to require csrf token verification for modifying actions
* Ensure that package and flash operation handlers guard modifying operations
  with parameter check

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
---
 .../luasrc/view/admin_system/clock_status.htm      |   4 +-
 .../luasrc/view/admin_system/flashops.htm          |  10 +-
 .../luasrc/view/admin_system/packages.htm          | 192 +++++++++++----------
 3 files changed, 113 insertions(+), 93 deletions(-)

(limited to 'modules/luci-mod-admin-full/luasrc/view')

diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_system/clock_status.htm b/modules/luci-mod-admin-full/luasrc/view/admin_system/clock_status.htm
index 19be072fe..37d8ae0e8 100644
--- a/modules/luci-mod-admin-full/luasrc/view/admin_system/clock_status.htm
+++ b/modules/luci-mod-admin-full/luasrc/view/admin_system/clock_status.htm
@@ -17,8 +17,8 @@
 		btn.disabled = true;
 		btn.value    = '<%:Synchronizing...%>';
 
-		XHR.get('<%=url('admin/system/clock_status')%>',
-			{ set: Math.floor((new Date()).getTime() / 1000) },
+		(new XHR()).post('<%=url('admin/system/clock_status')%>',
+			{ token: '<%=token%>', set: Math.floor((new Date()).getTime() / 1000) },
 			function()
 			{
 				btn.disabled = false;
diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_system/flashops.htm b/modules/luci-mod-admin-full/luasrc/view/admin_system/flashops.htm
index bc8bcf488..8bf199294 100644
--- a/modules/luci-mod-admin-full/luasrc/view/admin_system/flashops.htm
+++ b/modules/luci-mod-admin-full/luasrc/view/admin_system/flashops.htm
@@ -1,6 +1,6 @@
 <%#
  Copyright 2008 Steven Barth <steven@midlink.org>
- Copyright 2008 Jo-Philipp Wich <jow@openwrt.org>
+ Copyright 2008-2015 Jo-Philipp Wich <jow@openwrt.org>
  Licensed to the public under the Apache License 2.0.
 -%>
 
@@ -17,7 +17,9 @@
 
 	<fieldset class="cbi-section">
 		<legend><%:Backup / Restore%></legend>
-		<form method="post" action="<%=REQUEST_URI%>" enctype="multipart/form-data">
+		<form method="post" action="<%=url('admin/system/flashops')%>" enctype="multipart/form-data">
+			<input type="hidden" name="exec" value="1" />
+			<input type="hidden" name="token" value="<%=token%>" />
 			<div class="cbi-section-descr"><%:Click "Generate archive" to download a tar archive of the current configuration files. To reset the firmware to its initial state, click "Perform reset" (only possible with squashfs images).%></div>
 			<div class="cbi-section-node">
 				<div class="cbi-value<% if not reset_avail then %> cbi-value-last<% end %>">
@@ -54,7 +56,9 @@
 	<fieldset class="cbi-section">
 		<legend><%:Flash new firmware image%></legend>
 		<% if upgrade_avail then %>
-			<form method="post" action="<%=REQUEST_URI%>" enctype="multipart/form-data">
+			<form method="post" action="<%=url('admin/system/flashops')%>" enctype="multipart/form-data">
+				<input type="hidden" name="exec" value="1" />
+				<input type="hidden" name="token" value="<%=token%>" />
 				<div class="cbi-section-descr"><%:Upload a sysupgrade-compatible image here to replace the running firmware. Check "Keep settings" to retain the current configuration (requires an OpenWrt compatible firmware image).%></div>
 				<div class="cbi-section-node">
 					<div class="cbi-value">
diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
index ef9591990..fbb8235ec 100644
--- a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
+++ b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
@@ -46,17 +46,18 @@ end
 
 <h2 name="content"><%:Software%></h2>
 
-<form method="post" action="<%=REQUEST_URI%>">
-	<div class="cbi-map">
+<div class="cbi-map">
 
-		<ul class="cbi-tabmenu">
-			<li class="cbi-tab"><a href="#"><%:Actions%></a></li>
-			<li class="cbi-tab-disabled"><a href="<%=REQUEST_URI%>/ipkg"><%:Configuration%></a></li>
-		</ul>
-
-		<fieldset class="cbi-section">
+	<ul class="cbi-tabmenu">
+		<li class="cbi-tab"><a href="#"><%:Actions%></a></li>
+		<li class="cbi-tab-disabled"><a href="<%=REQUEST_URI%>/ipkg"><%:Configuration%></a></li>
+	</ul>
 
+	<form method="post" action="<%=REQUEST_URI%>">
+		<input type="hidden" name="exec" value="1" />
+		<input type="hidden" name="token" value="<%=token%>" />
 
+		<fieldset class="cbi-section">
 			<fieldset class="cbi-section-node">
 				<% if (install and next(install)) or (remove and next(remove)) or update or upgrade then %>
 				<div class="cbi-value">
@@ -80,7 +81,7 @@ end
 					<% else %>
 						<%:No package lists available%>
 					<% end %>
-					<input type="button" onclick="location.href='?update=1'" href="#" class="cbi-button cbi-button-apply" style="margin-left:3em" value="<%:Update lists%>" />
+					<input type="submit" name="update" href="#" class="cbi-button cbi-button-apply" style="margin-left:3em" value="<%:Update lists%>" />
 				</div>
 				<% end %>
 
@@ -101,7 +102,7 @@ end
 					<label class="cbi-value-title"><%:Download and install package%>:</label>
 					<div class="cbi-value-field">
 						<input type="text" name="url" size="30" value="" />
-						<input class="cbi-button cbi-input-save" type="submit" name="submit" value="<%:OK%>" />
+						<input class="cbi-button cbi-input-save" type="submit" name="exec" value="<%:OK%>" />
 					</div>
 				</div>
 
@@ -114,83 +115,98 @@ end
 				</div>
 			</fieldset>
 		</fieldset>
-		<br />
-
-		<h3><%:Status%></h3>
-
-
-		<ul class="cbi-tabmenu">
-			<li class="cbi-tab<% if display ~= "installed" then %>-disabled<% end %>"><a href="?display=installed&amp;query=<%=pcdata(query)%>"><%:Installed packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li>
-			<li class="cbi-tab<% if display ~= "available" then %>-disabled<% end %>"><a href="?display=available&amp;query=<%=pcdata(query)%>"><%:Available packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li>
-		</ul>
-
-		<% if display ~= "available" then %>
-			<fieldset class="cbi-section">
-				<table class="cbi-section-table" style="width:100%">
-					<tr class="cbi-section-table-titles">
-						<th class="cbi-section-table-cell" style="text-align:left">&#160;</th>
-						<th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th>
-						<th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th>
-					</tr>
-					<% local empty = true; luci.model.ipkg.list_installed(querypat, function(n, v, s, d) empty = false; filter[n] = true %>
-					<tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
-						<td style="text-align:left; width:10%"><a onclick="return window.confirm('<%:Remove%> &quot;<%=luci.util.pcdata(n)%>&quot; ?')" href="<%=REQUEST_URI%>?submit=1&amp;remove=<%=luci.util.pcdata(n)%>"><%:Remove%></a></td>
-						<td style="text-align:left"><%=luci.util.pcdata(n)%></td>
-						<td style="text-align:left"><%=luci.util.pcdata(v)%></td>
-					</tr>
-					<% end) %>
-					<% if empty then %>
-					<tr class="cbi-section-table-row">
-						<td style="text-align:left">&#160;</td>
-						<td style="text-align:left"><em><%:none%></em></td>
-						<td style="text-align:left"><em><%:none%></em></td>
-					</tr>
-					<% end %>
-				</table>
-			</fieldset>
-		<% else %>
-			<fieldset class="cbi-section">
-			<% if not querypat then %>
-				<ul class="cbi-tabmenu">
-					<% local i; for i = 65, 90 do %>
-					<li class="cbi-tab<% if letter ~= i then %>-disabled<% end %>"><a href="?display=available&amp;letter=<%=string.char(i)%>"><%=string.char(i)%></a></li>
-					<% end %>
-					<li class="cbi-tab<% if letter ~= 35 then %>-disabled<% end %>"><a href="?display=available&amp;letter=%23">#</a></li>
-				</ul>
-				<div class="cbi-section-node">
-			<% end %>
-				<table class="cbi-section-table" style="width:100%">
-					<tr class="cbi-section-table-titles">
-						<th class="cbi-section-table-cell" style="text-align:left">&#160;</th>
-						<th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th>
-						<th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th>
-						<th class="cbi-section-table-cell" style="text-align:right"><%:Size (.ipk)%></th>
-						<th class="cbi-section-table-cell" style="text-align:left"><%:Description%></th>
-					</tr>
-					<% local empty = true; opkg_list(querypat or letterpat, function(n, v, s, d) if filter[n] then return end; empty = false %>
-					<tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
-						<td style="text-align:left; width:10%"><a onclick="return window.confirm('<%:Install%> &quot;<%=luci.util.pcdata(n)%>&quot; ?')" href="<%=REQUEST_URI%>?submit=1&amp;install=<%=luci.util.pcdata(n)%>"><%:Install%></a></td>
-						<td style="text-align:left"><%=luci.util.pcdata(n)%></td>
-						<td style="text-align:left"><%=luci.util.pcdata(v)%></td>
-						<td style="text-align:right"><%=luci.util.pcdata(s)%></td>
-						<td style="text-align:left"><%=luci.util.pcdata(d)%></td>
-					</tr>
-					<% end) %>
-					<% if empty then %>
-					<tr class="cbi-section-table-row">
-						<td style="text-align:left">&#160;</td>
-						<td style="text-align:left"><em><%:none%></em></td>
-						<td style="text-align:left"><em><%:none%></em></td>
-						<td style="text-align:right"><em><%:none%></em></td>
-						<td style="text-align:left"><em><%:none%></em></td>
-					</tr>
-					<% end %>
-				</table>
-			<% if not querypat then %>
-				</div>
-			<% end %>
-			</fieldset>
+	</form>
+
+
+	<h3><%:Status%></h3>
+
+
+	<ul class="cbi-tabmenu">
+		<li class="cbi-tab<% if display ~= "installed" then %>-disabled<% end %>"><a href="?display=installed&amp;query=<%=pcdata(query)%>"><%:Installed packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li>
+		<li class="cbi-tab<% if display ~= "available" then %>-disabled<% end %>"><a href="?display=available&amp;query=<%=pcdata(query)%>"><%:Available packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li>
+	</ul>
+
+	<% if display ~= "available" then %>
+		<fieldset class="cbi-section">
+			<table class="cbi-section-table" style="width:100%">
+				<tr class="cbi-section-table-titles">
+					<th class="cbi-section-table-cell" style="text-align:left">&#160;</th>
+					<th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th>
+					<th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th>
+				</tr>
+				<% local empty = true; luci.model.ipkg.list_installed(querypat, function(n, v, s, d) empty = false; filter[n] = true %>
+				<tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
+					<td style="text-align:left; width:10%">
+						<form method="post" class="inline" action="<%=REQUEST_URI%>">
+							<input type="hidden" name="exec" value="1" />
+							<input type="hidden" name="token" value="<%=token%>" />
+							<input type="hidden" name="remove" value="<%=pcdata(n)%>" />
+							<a onclick="window.confirm('<%:Remove%> &quot;<%=luci.util.pcdata(n)%>&quot; ?') && this.parentNode.submit(); return false" href="#"><%:Remove%></a>
+						</form>
+					</td>
+					<td style="text-align:left"><%=luci.util.pcdata(n)%></td>
+					<td style="text-align:left"><%=luci.util.pcdata(v)%></td>
+				</tr>
+				<% end) %>
+				<% if empty then %>
+				<tr class="cbi-section-table-row">
+					<td style="text-align:left">&#160;</td>
+					<td style="text-align:left"><em><%:none%></em></td>
+					<td style="text-align:left"><em><%:none%></em></td>
+				</tr>
+				<% end %>
+			</table>
+		</fieldset>
+	<% else %>
+		<fieldset class="cbi-section">
+		<% if not querypat then %>
+			<ul class="cbi-tabmenu">
+				<% local i; for i = 65, 90 do %>
+				<li class="cbi-tab<% if letter ~= i then %>-disabled<% end %>"><a href="?display=available&amp;letter=<%=string.char(i)%>"><%=string.char(i)%></a></li>
+				<% end %>
+				<li class="cbi-tab<% if letter ~= 35 then %>-disabled<% end %>"><a href="?display=available&amp;letter=%23">#</a></li>
+			</ul>
+			<div class="cbi-section-node">
+		<% end %>
+			<table class="cbi-section-table" style="width:100%">
+				<tr class="cbi-section-table-titles">
+					<th class="cbi-section-table-cell" style="text-align:left">&#160;</th>
+					<th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th>
+					<th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th>
+					<th class="cbi-section-table-cell" style="text-align:right"><%:Size (.ipk)%></th>
+					<th class="cbi-section-table-cell" style="text-align:left"><%:Description%></th>
+				</tr>
+				<% local empty = true; opkg_list(querypat or letterpat, function(n, v, s, d) if filter[n] then return end; empty = false %>
+				<tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
+					<td style="text-align:left; width:10%">
+						<form method="post" class="inline" action="<%=REQUEST_URI%>">
+							<input type="hidden" name="exec" value="1" />
+							<input type="hidden" name="token" value="<%=token%>" />
+							<input type="hidden" name="install" value="<%=pcdata(n)%>" />
+							<a onclick="window.confirm('<%:Install%> &quot;<%=luci.util.pcdata(n)%>&quot; ?') && this.parentNode.submit(); return false" href="#"><%:Install%></a>
+						</form>
+					</td>
+					<td style="text-align:left"><%=luci.util.pcdata(n)%></td>
+					<td style="text-align:left"><%=luci.util.pcdata(v)%></td>
+					<td style="text-align:right"><%=luci.util.pcdata(s)%></td>
+					<td style="text-align:left"><%=luci.util.pcdata(d)%></td>
+				</tr>
+				<% end) %>
+				<% if empty then %>
+				<tr class="cbi-section-table-row">
+					<td style="text-align:left">&#160;</td>
+					<td style="text-align:left"><em><%:none%></em></td>
+					<td style="text-align:left"><em><%:none%></em></td>
+					<td style="text-align:right"><em><%:none%></em></td>
+					<td style="text-align:left"><em><%:none%></em></td>
+				</tr>
+				<% end %>
+			</table>
+		<% if not querypat then %>
+			</div>
 		<% end %>
-	</div>
-</form>
+		</fieldset>
+	<% end %>
+</div>
+
 <%+footer%>
-- 
cgit v1.2.3