Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

libs/web: Prevent luci.http to prematurely parse the POST data

Browse source 
modules/admin-mini: Added fw-upgrade page
This commit is contained in:
Steven Barth 2008-07-16 14:26:40 +00:00
parent 65cde96c5b
commit 66a6492ae5
6 changed files with 183 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
applications/luci-statistics/luasrc/controller/luci_statistics/luci_statistics.lua
View file

@ -80,7 +80,7 @@ function index()
page.setuser = "nobody" page.setuser = "nobody"
page.setgroup = "nogroup" page.setgroup = "nogroup"
local vars = luci.http.formvalue() local vars = luci.http.formvalue(nil, true)
local span = vars.timespan or nil local span = vars.timespan or nil
for i, plugin in luci.util.vspairs( tree:plugins() ) do for i, plugin in luci.util.vspairs( tree:plugins() ) do

4
libs/web/luasrc/http.lua
View file

@ -51,8 +51,8 @@ function Request.__init__(self, env, sourcein, sinkerr)
self.parsed_input = false self.parsed_input = false
end end
function Request.formvalue(self, name) function Request.formvalue(self, name, noparse)
if not self.parsed_input then if not noparse and not self.parsed_input then
self:_parse_input() self:_parse_input()
end end

29
modules/admin-full/luasrc/controller/admin/system.lua
View file

@ -197,13 +197,30 @@ end
function action_upgrade() function action_upgrade()
require("luci.model.uci") require("luci.model.uci")
local ret = nil local ret = nil
local plat = luci.fs.mtime("/lib/upgrade/platform.sh") local plat = luci.fs.mtime("/lib/upgrade/platform.sh")
local tmpfile = "/tmp/firmware.img"
local image = luci.http.upload("image")
local file
luci.http.setfilehandler(
function(meta, chunk, eof)
if not file then
file = io.open(tmpfile, "w")
end
if chunk then
file:write(chunk)
end
if eof then
file:close()
end
end
)
local fname = luci.http.formvalue("image")
local keepcfg = luci.http.formvalue("keepcfg") local keepcfg = luci.http.formvalue("keepcfg")
if plat and image then if plat and fname then
local kpattern = nil local kpattern = nil
if keepcfg then if keepcfg then
local files = luci.model.uci.get_all("luci", "flash_keep") local files = luci.model.uci.get_all("luci", "flash_keep")
@ -214,8 +231,8 @@ function action_upgrade()
end end
end end
end end
ret = luci.sys.flash(image, kpattern) ret = luci.sys.flash(tmpfile, kpattern)
end end
luci.template.render("admin_system/upgrade", {sysupgrade=plat, ret=ret}) luci.template.render("admin_system/upgrade", {sysupgrade=plat, ret=ret})
end end

62
modules/admin-mini/luasrc/controller/mini/system.lua
View file

@ -20,7 +20,9 @@ function index()
local i18n = luci.i18n.translate local i18n = luci.i18n.translate
entry({"mini", "system"}, call("action_reboot"), i18n("system")) entry({"mini", "system"}, call("action_reboot"), i18n("system"))
entry({"mini", "system", "reboot"}, call("action_reboot"), i18n("reboot"), 10) entry({"admin", "system", "passwd"}, call("action_passwd"), i18n("a_s_changepw"), 10)
entry({"mini", "system", "upgrade"}, call("action_upgrade"), i18n("a_s_flash"), 20)
entry({"mini", "system", "reboot"}, call("action_reboot"), i18n("reboot"), 30)
end end
function action_reboot() function action_reboot()
@ -29,4 +31,62 @@ function action_reboot()
if reboot then if reboot then
luci.sys.reboot() luci.sys.reboot()
end end
end
function action_upgrade()
require("luci.model.uci")
local ret = nil
local plat = luci.fs.mtime("/lib/upgrade/platform.sh")
local tmpfile = "/tmp/firmware.img"
local file
luci.http.setfilehandler(
function(meta, chunk, eof)
if not file then
file = io.open(tmpfile, "w")
end
if chunk then
file:write(chunk)
end
if eof then
file:close()
end
end
)
local fname = luci.http.formvalue("image")
local keepcfg = luci.http.formvalue("keepcfg")
if plat and fname then
local kpattern = nil
if keepcfg then
local files = luci.model.uci.get_all("luci", "flash_keep")
if files.luci and files.luci.flash_keep then
kpattern = ""
for k,v in pairs(files.luci.flash_keep) do
kpattern = kpattern .. " " .. v
end
end
end
ret = luci.sys.flash(tmpfile, kpattern)
end
luci.template.render("mini/upgrade", {sysupgrade=plat, ret=ret})
end
function action_passwd()
local p1 = luci.http.formvalue("pwd1")
local p2 = luci.http.formvalue("pwd2")
local stat = nil
if p1 or p2 then
if p1 == p2 then
stat = luci.sys.user.setpasswd("root", p1)
else
stat = 10
end
end
luci.template.render("mini/passwd", {stat=stat})
end end

49
modules/admin-mini/luasrc/view/mini/passwd.htm Normal file
View file

@ -0,0 +1,49 @@
<%#
LuCI - Lua Configuration Interface
Copyright 2008 Steven Barth <steven@midlink.org>
Copyright 2008 Jo-Philipp Wich <xm@leipzig.freifunk.net>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
$Id$
-%>
<%+header%>
<h1><%:system%></h1>
<h2><%:a_s_changepw%></h2>
<p><%:a_s_changepw1%></p>
<div><br />
<% if stat then %>
<% if stat == 0 then %>
<code><%:a_s_changepw_changed%>!</code>
<% elseif stat == 10 then %>
<code class="error"><%:a_s_changepw_nomatch%>!</code>
<% else %>
<code class="error"><%:unknownerror%>!</code>
<% end %>
<% end %>
<% if not stat or stat == 10 then %>
<form method="post" action="<%=controller%>/admin/system/passwd">
<div class="cbi-section-node">
<div class="cbi-value">
<div class="cbi-value-title"><%:password%></div>
<div class="cbi-value-field"><input type="password" name="pwd1" /></div>
</div>
<div class="cbi-value">
<div class="cbi-value-title"><%:confirmation%></div>
<div class="cbi-value-field"><input type="password" name="pwd2" /></div>
</div>
<br />
<div>
<input type="submit" value="<%:save%>" />
<input type="reset" value="<%:reset%>" />
</div>
</div>
</form>
<% end %>
</div>
<%+footer%>

47
modules/admin-mini/luasrc/view/mini/upgrade.htm Normal file
View file

@ -0,0 +1,47 @@
<%#
LuCI - Lua Configuration Interface
Copyright 2008 Steven Barth <steven@midlink.org>
Copyright 2008 Jo-Philipp Wich <xm@leipzig.freifunk.net>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
$Id$
-%>
<%+header%>
<h1><%:system%></h1>
<h2><%:a_s_flash%></h2>
<p><%:a_s_flash_upgrade1%></p>
<br />
<% if sysupgrade and not ret then %>
<form method="post" action="<%=REQUEST_URI%>" enctype="multipart/form-data">
<div class="cbi-section-node">
<div class="cbi-value clear">
<div class="cbi-value-title left"><%:a_s_flash_fwimage%></div>
<div class="cbi-value-field"><input type="file" size="30" name="image" /></div>
</div>
<br />
<div class="cbi-value clear">
<input type="checkbox" name="keepcfg" value="1" checked="checked" />
<span class="bold"><%:a_s_flash_keepcfg%></span>
</div>
<br />
<div>
<input type="submit" value="<%:a_s_flash_fwupgrade%>" />
</div>
</div>
</form>
<% elseif ret then %>
<% if ret == 0 then %>
<div class="ok"><%:a_s_flash_flashed%></div>
<% else %>
<div class="error"><%:a_s_flash_flasherr%>! (<%:code%> <%=ret%>)</div>
<% end %>
<% else %>
<div class="error"><%:a_s_flash_notimplemented%></div>
<% end %>
<%+footer%>