| Age | Commit message (Collapse) | Author |
|---|
|
According to the JSON-RPC 2.0 specification "params" value can be either
an Array or Object. This change makes parse_json_rpc() accept both.
Type validation should be handled by a function that actually reads
"params" depending on expected format. This doesn't change existing
behaviour but allows adding more methods (that expect Object) in the
future.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
|
Both: uh_ubus_send_request() and uh_ubus_send_list() don't use it.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
|
There is no point in parsing "call" specific params for other ("list")
method calls. This is a minor cleanup that doesn't change uhttpd ubus
behaviour.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Jo-Philipp Wich <jo@mein.io>
|
|
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
After format string checks were activated in libubox the compiler
started to complain about multiple missuses in uhttpd. This fixes the
format strings without changing the behavior.
blobmsg_get_string() just checks if the parameter is not NULL and then
calls blobmsg_data() and casts the result.
I think non of these problem is security relevant.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
Signed-off-by: John Crispin <blogic@openwrt.org>
|
|
uhttpd modifies the list_head member of the uhttpd_plugin struct when
loading a plugin, therefore we cannot make it const, otherwise we
trigger a security violation if uhttpd is built with RelRO support.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
In order to support cross-domain AJAX requests to the /ubus endpoint
we need to implement the Cross-Origin Resource Sharing (CORS) spec
in the ubus plugin.
- Implement a new option "-X" to enable CORS support in ubus
- Implement rudimentary support for "OPTIONS" HTTP requests
- Implement essential CORS headers the ubus plugin
The current CORS response headers merely reflect the request headers
sent by the client, this way any requesting origin is automatically
allowed. Cross-domain cookies (Access-Control-Allow-Credentials) are
unconditionally enabled.
Restricting permitted origins and toggle the credential accepting can
be made configurable in a future commit to allow more fine grained
control over permitted AJAX clients.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
bit of bandwidth
|
|
The ubus plugin calls blocking ubus functions that loop back into
uloop_run. Protect the client data structure with refcounting to ensure
that the outer uloop_run call does not clean up the data that the inner
uloop_run call is still processing.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
session.access
|
|
injecting different SIDs
|
|
procedure
|
|
information leakage via the post url
|
|
corruption with concurrent requests
|
|
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
|
|
|
|
|
|
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
|
|
|
|
|
|
other services provide the session api
|
|
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
|
|
|
|
|
|
|
|
|
