Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

luci-mod-admin-full: protect clock, flash and opkg ops with submit token

Browse source 
* Use post_on() target to require csrf token verification for modifying actions
* Ensure that package and flash operation handlers guard modifying operations
  with parameter check

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
This commit is contained in:
Jo-Philipp Wich 2015-10-20 21:01:41 +02:00
parent 562c47e5fd
commit b5826f1ffb
4 changed files with 258 additions and 219 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

65
modules/luci-mod-admin-full/luasrc/controller/admin/system.lua
View file

@ -9,12 +9,12 @@ function index()
entry({"admin", "system"}, alias("admin", "system", "system"), _("System"), 30).index = true entry({"admin", "system"}, alias("admin", "system", "system"), _("System"), 30).index = true
entry({"admin", "system", "system"}, cbi("admin_system/system"), _("System"), 1) entry({"admin", "system", "system"}, cbi("admin_system/system"), _("System"), 1)
entry({"admin", "system", "clock_status"}, call("action_clock_status")) entry({"admin", "system", "clock_status"}, post_on({ set = true }, "action_clock_status"))
entry({"admin", "system", "admin"}, cbi("admin_system/admin"), _("Administration"), 2) entry({"admin", "system", "admin"}, cbi("admin_system/admin"), _("Administration"), 2)
if fs.access("/bin/opkg") then if fs.access("/bin/opkg") then
entry({"admin", "system", "packages"}, call("action_packages"), _("Software"), 10) entry({"admin", "system", "packages"}, post_on({ exec = "1" }, "action_packages"), _("Software"), 10)
entry({"admin", "system", "packages", "ipkg"}, form("admin_system/ipkg")) entry({"admin", "system", "packages", "ipkg"}, form("admin_system/ipkg"))
end end
@ -31,7 +31,7 @@ function index()
entry({"admin", "system", "leds"}, cbi("admin_system/leds"), _("<abbr title=\"Light Emitting Diode\">LED</abbr> Configuration"), 60) entry({"admin", "system", "leds"}, cbi("admin_system/leds"), _("<abbr title=\"Light Emitting Diode\">LED</abbr> Configuration"), 60)
end end
entry({"admin", "system", "flashops"}, call("action_flashops"), _("Backup / Flash Firmware"), 70) entry({"admin", "system", "flashops"}, post_on({ exec = "1" }, "action_flashops"), _("Backup / Flash Firmware"), 70)
entry({"admin", "system", "flashops", "backupfiles"}, form("admin_system/backupfiles")) entry({"admin", "system", "flashops", "backupfiles"}, form("admin_system/backupfiles"))
entry({"admin", "system", "reboot"}, template("admin_system/reboot"), _("Reboot"), 90) entry({"admin", "system", "reboot"}, template("admin_system/reboot"), _("Reboot"), 90)
@ -56,7 +56,8 @@ end
function action_packages() function action_packages()
local fs = require "nixio.fs" local fs = require "nixio.fs"
local ipkg = require "luci.model.ipkg" local ipkg = require "luci.model.ipkg"
local submit = luci.http.formvalue("submit") local submit = (luci.http.formvalue("exec") == "1")
local update, upgrade
local changes = false local changes = false
local install = { } local install = { }
local remove = { } local remove = { }
@ -76,13 +77,15 @@ function action_packages()
query = (query ~= '') and query or nil query = (query ~= '') and query or nil
-- Modifying actions
if submit then
-- Packets to be installed -- Packets to be installed
local ninst = submit and luci.http.formvalue("install") local ninst = luci.http.formvalue("install")
local uinst = nil local uinst = nil
-- Install from URL -- Install from URL
local url = luci.http.formvalue("url") local url = luci.http.formvalue("url")
if url and url ~= '' and submit then if url and url ~= '' then
uinst = url uinst = url
end end
@ -105,7 +108,7 @@ function action_packages()
end end
-- Remove packets -- Remove packets
local rem = submit and luci.http.formvalue("remove") local rem = luci.http.formvalue("remove")
if rem then if rem then
remove[rem], out, err = ipkg.remove(rem) remove[rem], out, err = ipkg.remove(rem)
stdout[#stdout+1] = out stdout[#stdout+1] = out
@ -115,7 +118,7 @@ function action_packages()
-- Update all packets -- Update all packets
local update = luci.http.formvalue("update") update = luci.http.formvalue("update")
if update then if update then
update, out, err = ipkg.update() update, out, err = ipkg.update()
stdout[#stdout+1] = out stdout[#stdout+1] = out
@ -124,12 +127,13 @@ function action_packages()
-- Upgrade all packets -- Upgrade all packets
local upgrade = luci.http.formvalue("upgrade") upgrade = luci.http.formvalue("upgrade")
if upgrade then if upgrade then
upgrade, out, err = ipkg.upgrade() upgrade, out, err = ipkg.upgrade()
stdout[#stdout+1] = out stdout[#stdout+1] = out
stderr[#stderr+1] = err stderr[#stderr+1] = err
end end
end
-- List state -- List state
@ -168,9 +172,12 @@ function action_packages()
end end
function action_flashops() function action_flashops()
local http = require "luci.http"
local sys = require "luci.sys" local sys = require "luci.sys"
local fs = require "nixio.fs" local fs = require "nixio.fs"
local submit = (http.formvalue("exec") == "1")
local upgrade_avail = fs.access("/lib/upgrade/platform.sh") local upgrade_avail = fs.access("/lib/upgrade/platform.sh")
local reset_avail = os.execute([[grep '"rootfs_data"' /proc/mtd >/dev/null 2>&1]]) == 0 local reset_avail = os.execute([[grep '"rootfs_data"' /proc/mtd >/dev/null 2>&1]]) == 0
@ -208,9 +215,13 @@ function action_flashops()
return size return size
end end
--
-- Handle modifying actions
--
if submit then
local fp local fp
luci.http.setfilehandler( http.setfilehandler(
function(meta, chunk, eof) function(meta, chunk, eof)
if not fp then if not fp then
if meta and meta.name == "image" then if meta and meta.name == "image" then
@ -228,36 +239,40 @@ function action_flashops()
end end
) )
if luci.http.formvalue("backup") then if http.formvalue("backup") then
-- --
-- Assemble file list, generate backup -- Assemble file list, generate backup
-- --
local reader = ltn12_popen(backup_cmd) local reader = ltn12_popen(backup_cmd)
luci.http.header('Content-Disposition', 'attachment; filename="backup-%s-%s.tar.gz"' % { http.header('Content-Disposition', 'attachment; filename="backup-%s-%s.tar.gz"' % {
luci.sys.hostname(), os.date("%Y-%m-%d")}) luci.sys.hostname(), os.date("%Y-%m-%d")})
luci.http.prepare_content("application/x-targz") http.prepare_content("application/x-targz")
luci.ltn12.pump.all(reader, luci.http.write) luci.ltn12.pump.all(reader, http.write)
elseif luci.http.formvalue("restore") then return
elseif http.formvalue("restore") then
-- --
-- Unpack received .tar.gz -- Unpack received .tar.gz
-- --
local upload = luci.http.formvalue("archive") local upload = http.formvalue("archive")
if upload and #upload > 0 then if upload and #upload > 0 then
luci.template.render("admin_system/applyreboot") luci.template.render("admin_system/applyreboot")
luci.sys.reboot() luci.sys.reboot()
return
end end
elseif luci.http.formvalue("image") or luci.http.formvalue("step") then
elseif http.formvalue("image") or http.formvalue("step") then
-- --
-- Initiate firmware flash -- Initiate firmware flash
-- --
local step = tonumber(luci.http.formvalue("step") or 1) local step = tonumber(http.formvalue("step") or 1)
if step == 1 then if step == 1 then
if image_supported() then if image_supported() then
luci.template.render("admin_system/upgrade", { luci.template.render("admin_system/upgrade", {
checksum = image_checksum(), checksum = image_checksum(),
storage = storage_size(), storage = storage_size(),
size = (fs.stat(image_tmp, "size") or 0), size = (fs.stat(image_tmp, "size") or 0),
keep = (not not luci.http.formvalue("keep")) keep = (not not http.formvalue("keep"))
}) })
else else
fs.unlink(image_tmp) fs.unlink(image_tmp)
@ -267,19 +282,21 @@ function action_flashops()
image_invalid = true image_invalid = true
}) })
end end
return
-- --
-- Start sysupgrade flash -- Start sysupgrade flash
-- --
elseif step == 2 then elseif step == 2 then
local keep = (luci.http.formvalue("keep") == "1") and "" or "-n" local keep = (http.formvalue("keep") == "1") and "" or "-n"
luci.template.render("admin_system/applyreboot", { luci.template.render("admin_system/applyreboot", {
title = luci.i18n.translate("Flashing..."), title = luci.i18n.translate("Flashing..."),
msg = luci.i18n.translate("The system is flashing now.<br /> DO NOT POWER OFF THE DEVICE!<br /> Wait a few minutes before you try to reconnect. It might be necessary to renew the address of your computer to reach the device again, depending on your settings."), msg = luci.i18n.translate("The system is flashing now.<br /> DO NOT POWER OFF THE DEVICE!<br /> Wait a few minutes before you try to reconnect. It might be necessary to renew the address of your computer to reach the device again, depending on your settings."),
addr = (#keep > 0) and "192.168.1.1" or nil addr = (#keep > 0) and "192.168.1.1" or nil
}) })
fork_exec("killall dropbear uhttpd; sleep 1; /sbin/sysupgrade %s %q" %{ keep, image_tmp }) fork_exec("killall dropbear uhttpd; sleep 1; /sbin/sysupgrade %s %q" %{ keep, image_tmp })
return
end end
elseif reset_avail and luci.http.formvalue("reset") then elseif reset_avail and http.formvalue("reset") then
-- --
-- Reset system -- Reset system
-- --
@ -289,7 +306,10 @@ function action_flashops()
addr = "192.168.1.1" addr = "192.168.1.1"
}) })
fork_exec("killall dropbear uhttpd; sleep 1; mtd -r erase rootfs_data") fork_exec("killall dropbear uhttpd; sleep 1; mtd -r erase rootfs_data")
else return
end
end
-- --
-- Overview -- Overview
-- --
@ -297,7 +317,6 @@ function action_flashops()
reset_avail = reset_avail, reset_avail = reset_avail,
upgrade_avail = upgrade_avail upgrade_avail = upgrade_avail
}) })
end
end end
function action_passwd() function action_passwd()

4
modules/luci-mod-admin-full/luasrc/view/admin_system/clock_status.htm
View file

@ -17,8 +17,8 @@
btn.disabled = true; btn.disabled = true;
btn.value = '<%:Synchronizing...%>'; btn.value = '<%:Synchronizing...%>';
XHR.get('<%=url('admin/system/clock_status')%>', (new XHR()).post('<%=url('admin/system/clock_status')%>',
{ set: Math.floor((new Date()).getTime() / 1000) }, { token: '<%=token%>', set: Math.floor((new Date()).getTime() / 1000) },
function() function()
{ {
btn.disabled = false; btn.disabled = false;

10
modules/luci-mod-admin-full/luasrc/view/admin_system/flashops.htm
View file

@ -1,6 +1,6 @@
<%# <%#
Copyright 2008 Steven Barth <steven@midlink.org> Copyright 2008 Steven Barth <steven@midlink.org>
Copyright 2008 Jo-Philipp Wich <jow@openwrt.org> Copyright 2008-2015 Jo-Philipp Wich <jow@openwrt.org>
Licensed to the public under the Apache License 2.0. Licensed to the public under the Apache License 2.0.
-%> -%>
@ -17,7 +17,9 @@
<fieldset class="cbi-section"> <fieldset class="cbi-section">
<legend><%:Backup / Restore%></legend> <legend><%:Backup / Restore%></legend>
<form method="post" action="<%=REQUEST_URI%>" enctype="multipart/form-data"> <form method="post" action="<%=url('admin/system/flashops')%>" enctype="multipart/form-data">
<input type="hidden" name="exec" value="1" />
<input type="hidden" name="token" value="<%=token%>" />
<div class="cbi-section-descr"><%:Click "Generate archive" to download a tar archive of the current configuration files. To reset the firmware to its initial state, click "Perform reset" (only possible with squashfs images).%></div> <div class="cbi-section-descr"><%:Click "Generate archive" to download a tar archive of the current configuration files. To reset the firmware to its initial state, click "Perform reset" (only possible with squashfs images).%></div>
<div class="cbi-section-node"> <div class="cbi-section-node">
<div class="cbi-value<% if not reset_avail then %> cbi-value-last<% end %>"> <div class="cbi-value<% if not reset_avail then %> cbi-value-last<% end %>">
@ -54,7 +56,9 @@
<fieldset class="cbi-section"> <fieldset class="cbi-section">
<legend><%:Flash new firmware image%></legend> <legend><%:Flash new firmware image%></legend>
<% if upgrade_avail then %> <% if upgrade_avail then %>
<form method="post" action="<%=REQUEST_URI%>" enctype="multipart/form-data"> <form method="post" action="<%=url('admin/system/flashops')%>" enctype="multipart/form-data">
<input type="hidden" name="exec" value="1" />
<input type="hidden" name="token" value="<%=token%>" />
<div class="cbi-section-descr"><%:Upload a sysupgrade-compatible image here to replace the running firmware. Check "Keep settings" to retain the current configuration (requires an OpenWrt compatible firmware image).%></div> <div class="cbi-section-descr"><%:Upload a sysupgrade-compatible image here to replace the running firmware. Check "Keep settings" to retain the current configuration (requires an OpenWrt compatible firmware image).%></div>
<div class="cbi-section-node"> <div class="cbi-section-node">
<div class="cbi-value"> <div class="cbi-value">

38
modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
View file

@ -46,17 +46,18 @@ end
<h2 name="content"><%:Software%></h2> <h2 name="content"><%:Software%></h2>
<form method="post" action="<%=REQUEST_URI%>"> <div class="cbi-map">
<div class="cbi-map">
<ul class="cbi-tabmenu"> <ul class="cbi-tabmenu">
<li class="cbi-tab"><a href="#"><%:Actions%></a></li> <li class="cbi-tab"><a href="#"><%:Actions%></a></li>
<li class="cbi-tab-disabled"><a href="<%=REQUEST_URI%>/ipkg"><%:Configuration%></a></li> <li class="cbi-tab-disabled"><a href="<%=REQUEST_URI%>/ipkg"><%:Configuration%></a></li>
</ul> </ul>
<form method="post" action="<%=REQUEST_URI%>">
<input type="hidden" name="exec" value="1" />
<input type="hidden" name="token" value="<%=token%>" />
<fieldset class="cbi-section"> <fieldset class="cbi-section">
<fieldset class="cbi-section-node"> <fieldset class="cbi-section-node">
<% if (install and next(install)) or (remove and next(remove)) or update or upgrade then %> <% if (install and next(install)) or (remove and next(remove)) or update or upgrade then %>
<div class="cbi-value"> <div class="cbi-value">
@ -80,7 +81,7 @@ end
<% else %> <% else %>
<%:No package lists available%> <%:No package lists available%>
<% end %> <% end %>
<input type="button" onclick="location.href='?update=1'" href="#" class="cbi-button cbi-button-apply" style="margin-left:3em" value="<%:Update lists%>" /> <input type="submit" name="update" href="#" class="cbi-button cbi-button-apply" style="margin-left:3em" value="<%:Update lists%>" />
</div> </div>
<% end %> <% end %>
@ -101,7 +102,7 @@ end
<label class="cbi-value-title"><%:Download and install package%>:</label> <label class="cbi-value-title"><%:Download and install package%>:</label>
<div class="cbi-value-field"> <div class="cbi-value-field">
<input type="text" name="url" size="30" value="" /> <input type="text" name="url" size="30" value="" />
<input class="cbi-button cbi-input-save" type="submit" name="submit" value="<%:OK%>" /> <input class="cbi-button cbi-input-save" type="submit" name="exec" value="<%:OK%>" />
</div> </div>
</div> </div>
@ -114,7 +115,8 @@ end
</div> </div>
</fieldset> </fieldset>
</fieldset> </fieldset>
<br /> </form>
<h3><%:Status%></h3> <h3><%:Status%></h3>
@ -134,7 +136,14 @@ end
</tr> </tr>
<% local empty = true; luci.model.ipkg.list_installed(querypat, function(n, v, s, d) empty = false; filter[n] = true %> <% local empty = true; luci.model.ipkg.list_installed(querypat, function(n, v, s, d) empty = false; filter[n] = true %>
<tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>"> <tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
<td style="text-align:left; width:10%"><a onclick="return window.confirm('<%:Remove%> &quot;<%=luci.util.pcdata(n)%>&quot; ?')" href="<%=REQUEST_URI%>?submit=1&amp;remove=<%=luci.util.pcdata(n)%>"><%:Remove%></a></td> <td style="text-align:left; width:10%">
<form method="post" class="inline" action="<%=REQUEST_URI%>">
<input type="hidden" name="exec" value="1" />
<input type="hidden" name="token" value="<%=token%>" />
<input type="hidden" name="remove" value="<%=pcdata(n)%>" />
<a onclick="window.confirm('<%:Remove%> &quot;<%=luci.util.pcdata(n)%>&quot; ?') && this.parentNode.submit(); return false" href="#"><%:Remove%></a>
</form>
</td>
<td style="text-align:left"><%=luci.util.pcdata(n)%></td> <td style="text-align:left"><%=luci.util.pcdata(n)%></td>
<td style="text-align:left"><%=luci.util.pcdata(v)%></td> <td style="text-align:left"><%=luci.util.pcdata(v)%></td>
</tr> </tr>
@ -169,7 +178,14 @@ end
</tr> </tr>
<% local empty = true; opkg_list(querypat or letterpat, function(n, v, s, d) if filter[n] then return end; empty = false %> <% local empty = true; opkg_list(querypat or letterpat, function(n, v, s, d) if filter[n] then return end; empty = false %>
<tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>"> <tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
<td style="text-align:left; width:10%"><a onclick="return window.confirm('<%:Install%> &quot;<%=luci.util.pcdata(n)%>&quot; ?')" href="<%=REQUEST_URI%>?submit=1&amp;install=<%=luci.util.pcdata(n)%>"><%:Install%></a></td> <td style="text-align:left; width:10%">
<form method="post" class="inline" action="<%=REQUEST_URI%>">
<input type="hidden" name="exec" value="1" />
<input type="hidden" name="token" value="<%=token%>" />
<input type="hidden" name="install" value="<%=pcdata(n)%>" />
<a onclick="window.confirm('<%:Install%> &quot;<%=luci.util.pcdata(n)%>&quot; ?') && this.parentNode.submit(); return false" href="#"><%:Install%></a>
</form>
</td>
<td style="text-align:left"><%=luci.util.pcdata(n)%></td> <td style="text-align:left"><%=luci.util.pcdata(n)%></td>
<td style="text-align:left"><%=luci.util.pcdata(v)%></td> <td style="text-align:left"><%=luci.util.pcdata(v)%></td>
<td style="text-align:right"><%=luci.util.pcdata(s)%></td> <td style="text-align:right"><%=luci.util.pcdata(s)%></td>
@ -191,6 +207,6 @@ end
<% end %> <% end %>
</fieldset> </fieldset>
<% end %> <% end %>
</div> </div>
</form>
<%+footer%> <%+footer%>