luci-mod-admin-full: protect clock, flash and opkg ops with submit token
* Use post_on() target to require csrf token verification for modifying actions * Ensure that package and flash operation handlers guard modifying operations with parameter check Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
This commit is contained in:
Jo-Philipp Wich
parent
562c47e5fd
commit
b5826f1ffb
4 changed files with 258 additions and 219 deletions
|
|
@ -9,12 +9,12 @@ function index()
|
|||
|
||||
entry({"admin", "system"}, alias("admin", "system", "system"), _("System"), 30).index = true
|
||||
entry({"admin", "system", "system"}, cbi("admin_system/system"), _("System"), 1)
|
||||
entry({"admin", "system", "clock_status"}, call("action_clock_status"))
|
||||
entry({"admin", "system", "clock_status"}, post_on({ set = true }, "action_clock_status"))
|
||||
|
||||
entry({"admin", "system", "admin"}, cbi("admin_system/admin"), _("Administration"), 2)
|
||||
|
||||
if fs.access("/bin/opkg") then
|
||||
entry({"admin", "system", "packages"}, call("action_packages"), _("Software"), 10)
|
||||
entry({"admin", "system", "packages"}, post_on({ exec = "1" }, "action_packages"), _("Software"), 10)
|
||||
entry({"admin", "system", "packages", "ipkg"}, form("admin_system/ipkg"))
|
||||
end
|
||||
|
||||
|
|
@ -31,7 +31,7 @@ function index()
|
|||
entry({"admin", "system", "leds"}, cbi("admin_system/leds"), _("<abbr title=\"Light Emitting Diode\">LED</abbr> Configuration"), 60)
|
||||
end
|
||||
|
||||
entry({"admin", "system", "flashops"}, call("action_flashops"), _("Backup / Flash Firmware"), 70)
|
||||
entry({"admin", "system", "flashops"}, post_on({ exec = "1" }, "action_flashops"), _("Backup / Flash Firmware"), 70)
|
||||
entry({"admin", "system", "flashops", "backupfiles"}, form("admin_system/backupfiles"))
|
||||
|
||||
entry({"admin", "system", "reboot"}, template("admin_system/reboot"), _("Reboot"), 90)
|
||||
|
|
@ -56,7 +56,8 @@ end
|
|||
function action_packages()
|
||||
local fs = require "nixio.fs"
|
||||
local ipkg = require "luci.model.ipkg"
|
||||
local submit = luci.http.formvalue("submit")
|
||||
local submit = (luci.http.formvalue("exec") == "1")
|
||||
local update, upgrade
|
||||
local changes = false
|
||||
local install = { }
|
||||
local remove = { }
|
||||
|
|
@ -76,13 +77,15 @@ function action_packages()
|
|||
query = (query ~= '') and query or nil
|
||||
|
||||
|
||||
-- Modifying actions
|
||||
if submit then
|
||||
-- Packets to be installed
|
||||
local ninst = submit and luci.http.formvalue("install")
|
||||
local ninst = luci.http.formvalue("install")
|
||||
local uinst = nil
|
||||
|
||||
-- Install from URL
|
||||
local url = luci.http.formvalue("url")
|
||||
if url and url ~= '' and submit then
|
||||
if url and url ~= '' then
|
||||
uinst = url
|
||||
end
|
||||
|
||||
|
|
@ -105,7 +108,7 @@ function action_packages()
|
|||
end
|
||||
|
||||
-- Remove packets
|
||||
local rem = submit and luci.http.formvalue("remove")
|
||||
local rem = luci.http.formvalue("remove")
|
||||
if rem then
|
||||
remove[rem], out, err = ipkg.remove(rem)
|
||||
stdout[#stdout+1] = out
|
||||
|
|
@ -115,7 +118,7 @@ function action_packages()
|
|||
|
||||
|
||||
-- Update all packets
|
||||
local update = luci.http.formvalue("update")
|
||||
update = luci.http.formvalue("update")
|
||||
if update then
|
||||
update, out, err = ipkg.update()
|
||||
stdout[#stdout+1] = out
|
||||
|
|
@ -124,12 +127,13 @@ function action_packages()
|
|||
|
||||
|
||||
-- Upgrade all packets
|
||||
local upgrade = luci.http.formvalue("upgrade")
|
||||
upgrade = luci.http.formvalue("upgrade")
|
||||
if upgrade then
|
||||
upgrade, out, err = ipkg.upgrade()
|
||||
stdout[#stdout+1] = out
|
||||
stderr[#stderr+1] = err
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
-- List state
|
||||
|
|
@ -168,9 +172,12 @@ function action_packages()
|
|||
end
|
||||
|
||||
function action_flashops()
|
||||
local http = require "luci.http"
|
||||
local sys = require "luci.sys"
|
||||
local fs = require "nixio.fs"
|
||||
|
||||
local submit = (http.formvalue("exec") == "1")
|
||||
|
||||
local upgrade_avail = fs.access("/lib/upgrade/platform.sh")
|
||||
local reset_avail = os.execute([[grep '"rootfs_data"' /proc/mtd >/dev/null 2>&1]]) == 0
|
||||
|
||||
|
|
@ -208,9 +215,13 @@ function action_flashops()
|
|||
return size
|
||||
end
|
||||
|
||||
--
|
||||
-- Handle modifying actions
|
||||
--
|
||||
if submit then
|
||||
|
||||
local fp
|
||||
luci.http.setfilehandler(
|
||||
http.setfilehandler(
|
||||
function(meta, chunk, eof)
|
||||
if not fp then
|
||||
if meta and meta.name == "image" then
|
||||
|
|
@ -228,36 +239,40 @@ function action_flashops()
|
|||
end
|
||||
)
|
||||
|
||||
if luci.http.formvalue("backup") then
|
||||
if http.formvalue("backup") then
|
||||
--
|
||||
-- Assemble file list, generate backup
|
||||
--
|
||||
local reader = ltn12_popen(backup_cmd)
|
||||
luci.http.header('Content-Disposition', 'attachment; filename="backup-%s-%s.tar.gz"' % {
|
||||
http.header('Content-Disposition', 'attachment; filename="backup-%s-%s.tar.gz"' % {
|
||||
luci.sys.hostname(), os.date("%Y-%m-%d")})
|
||||
luci.http.prepare_content("application/x-targz")
|
||||
luci.ltn12.pump.all(reader, luci.http.write)
|
||||
elseif luci.http.formvalue("restore") then
|
||||
http.prepare_content("application/x-targz")
|
||||
luci.ltn12.pump.all(reader, http.write)
|
||||
return
|
||||
|
||||
elseif http.formvalue("restore") then
|
||||
--
|
||||
-- Unpack received .tar.gz
|
||||
--
|
||||
local upload = luci.http.formvalue("archive")
|
||||
local upload = http.formvalue("archive")
|
||||
if upload and #upload > 0 then
|
||||
luci.template.render("admin_system/applyreboot")
|
||||
luci.sys.reboot()
|
||||
return
|
||||
end
|
||||
elseif luci.http.formvalue("image") or luci.http.formvalue("step") then
|
||||
|
||||
elseif http.formvalue("image") or http.formvalue("step") then
|
||||
--
|
||||
-- Initiate firmware flash
|
||||
--
|
||||
local step = tonumber(luci.http.formvalue("step") or 1)
|
||||
local step = tonumber(http.formvalue("step") or 1)
|
||||
if step == 1 then
|
||||
if image_supported() then
|
||||
luci.template.render("admin_system/upgrade", {
|
||||
checksum = image_checksum(),
|
||||
storage = storage_size(),
|
||||
size = (fs.stat(image_tmp, "size") or 0),
|
||||
keep = (not not luci.http.formvalue("keep"))
|
||||
keep = (not not http.formvalue("keep"))
|
||||
})
|
||||
else
|
||||
fs.unlink(image_tmp)
|
||||
|
|
@ -267,19 +282,21 @@ function action_flashops()
|
|||
image_invalid = true
|
||||
})
|
||||
end
|
||||
return
|
||||
--
|
||||
-- Start sysupgrade flash
|
||||
--
|
||||
elseif step == 2 then
|
||||
local keep = (luci.http.formvalue("keep") == "1") and "" or "-n"
|
||||
local keep = (http.formvalue("keep") == "1") and "" or "-n"
|
||||
luci.template.render("admin_system/applyreboot", {
|
||||
title = luci.i18n.translate("Flashing..."),
|
||||
msg = luci.i18n.translate("The system is flashing now.<br /> DO NOT POWER OFF THE DEVICE!<br /> Wait a few minutes before you try to reconnect. It might be necessary to renew the address of your computer to reach the device again, depending on your settings."),
|
||||
addr = (#keep > 0) and "192.168.1.1" or nil
|
||||
})
|
||||
fork_exec("killall dropbear uhttpd; sleep 1; /sbin/sysupgrade %s %q" %{ keep, image_tmp })
|
||||
return
|
||||
end
|
||||
elseif reset_avail and luci.http.formvalue("reset") then
|
||||
elseif reset_avail and http.formvalue("reset") then
|
||||
--
|
||||
-- Reset system
|
||||
--
|
||||
|
|
@ -289,7 +306,10 @@ function action_flashops()
|
|||
addr = "192.168.1.1"
|
||||
})
|
||||
fork_exec("killall dropbear uhttpd; sleep 1; mtd -r erase rootfs_data")
|
||||
else
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
--
|
||||
-- Overview
|
||||
--
|
||||
|
|
@ -297,7 +317,6 @@ function action_flashops()
|
|||
reset_avail = reset_avail,
|
||||
upgrade_avail = upgrade_avail
|
||||
})
|
||||
end
|
||||
end
|
||||
|
||||
function action_passwd()
|
||||
|
|
|
|||
|
|
@ -17,8 +17,8 @@
|
|||
btn.disabled = true;
|
||||
btn.value = '<%:Synchronizing...%>';
|
||||
|
||||
XHR.get('<%=url('admin/system/clock_status')%>',
|
||||
{ set: Math.floor((new Date()).getTime() / 1000) },
|
||||
(new XHR()).post('<%=url('admin/system/clock_status')%>',
|
||||
{ token: '<%=token%>', set: Math.floor((new Date()).getTime() / 1000) },
|
||||
function()
|
||||
{
|
||||
btn.disabled = false;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
<%#
|
||||
Copyright 2008 Steven Barth <steven@midlink.org>
|
||||
Copyright 2008 Jo-Philipp Wich <jow@openwrt.org>
|
||||
Copyright 2008-2015 Jo-Philipp Wich <jow@openwrt.org>
|
||||
Licensed to the public under the Apache License 2.0.
|
||||
-%>
|
||||
|
||||
|
|
@ -17,7 +17,9 @@
|
|||
|
||||
<fieldset class="cbi-section">
|
||||
<legend><%:Backup / Restore%></legend>
|
||||
<form method="post" action="<%=REQUEST_URI%>" enctype="multipart/form-data">
|
||||
<form method="post" action="<%=url('admin/system/flashops')%>" enctype="multipart/form-data">
|
||||
<input type="hidden" name="exec" value="1" />
|
||||
<input type="hidden" name="token" value="<%=token%>" />
|
||||
<div class="cbi-section-descr"><%:Click "Generate archive" to download a tar archive of the current configuration files. To reset the firmware to its initial state, click "Perform reset" (only possible with squashfs images).%></div>
|
||||
<div class="cbi-section-node">
|
||||
<div class="cbi-value<% if not reset_avail then %> cbi-value-last<% end %>">
|
||||
|
|
@ -54,7 +56,9 @@
|
|||
<fieldset class="cbi-section">
|
||||
<legend><%:Flash new firmware image%></legend>
|
||||
<% if upgrade_avail then %>
|
||||
<form method="post" action="<%=REQUEST_URI%>" enctype="multipart/form-data">
|
||||
<form method="post" action="<%=url('admin/system/flashops')%>" enctype="multipart/form-data">
|
||||
<input type="hidden" name="exec" value="1" />
|
||||
<input type="hidden" name="token" value="<%=token%>" />
|
||||
<div class="cbi-section-descr"><%:Upload a sysupgrade-compatible image here to replace the running firmware. Check "Keep settings" to retain the current configuration (requires an OpenWrt compatible firmware image).%></div>
|
||||
<div class="cbi-section-node">
|
||||
<div class="cbi-value">
|
||||
|
|
|
|||
|
|
@ -46,17 +46,18 @@ end
|
|||
|
||||
<h2 name="content"><%:Software%></h2>
|
||||
|
||||
<form method="post" action="<%=REQUEST_URI%>">
|
||||
<div class="cbi-map">
|
||||
<div class="cbi-map">
|
||||
|
||||
<ul class="cbi-tabmenu">
|
||||
<li class="cbi-tab"><a href="#"><%:Actions%></a></li>
|
||||
<li class="cbi-tab-disabled"><a href="<%=REQUEST_URI%>/ipkg"><%:Configuration%></a></li>
|
||||
</ul>
|
||||
|
||||
<form method="post" action="<%=REQUEST_URI%>">
|
||||
<input type="hidden" name="exec" value="1" />
|
||||
<input type="hidden" name="token" value="<%=token%>" />
|
||||
|
||||
<fieldset class="cbi-section">
|
||||
|
||||
|
||||
<fieldset class="cbi-section-node">
|
||||
<% if (install and next(install)) or (remove and next(remove)) or update or upgrade then %>
|
||||
<div class="cbi-value">
|
||||
|
|
@ -80,7 +81,7 @@ end
|
|||
<% else %>
|
||||
<%:No package lists available%>
|
||||
<% end %>
|
||||
<input type="button" onclick="location.href='?update=1'" href="#" class="cbi-button cbi-button-apply" style="margin-left:3em" value="<%:Update lists%>" />
|
||||
<input type="submit" name="update" href="#" class="cbi-button cbi-button-apply" style="margin-left:3em" value="<%:Update lists%>" />
|
||||
</div>
|
||||
<% end %>
|
||||
|
||||
|
|
@ -101,7 +102,7 @@ end
|
|||
<label class="cbi-value-title"><%:Download and install package%>:</label>
|
||||
<div class="cbi-value-field">
|
||||
<input type="text" name="url" size="30" value="" />
|
||||
<input class="cbi-button cbi-input-save" type="submit" name="submit" value="<%:OK%>" />
|
||||
<input class="cbi-button cbi-input-save" type="submit" name="exec" value="<%:OK%>" />
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
|
@ -114,7 +115,8 @@ end
|
|||
</div>
|
||||
</fieldset>
|
||||
</fieldset>
|
||||
<br />
|
||||
</form>
|
||||
|
||||
|
||||
<h3><%:Status%></h3>
|
||||
|
||||
|
|
@ -134,7 +136,14 @@ end
|
|||
</tr>
|
||||
<% local empty = true; luci.model.ipkg.list_installed(querypat, function(n, v, s, d) empty = false; filter[n] = true %>
|
||||
<tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
|
||||
<td style="text-align:left; width:10%"><a onclick="return window.confirm('<%:Remove%> "<%=luci.util.pcdata(n)%>" ?')" href="<%=REQUEST_URI%>?submit=1&remove=<%=luci.util.pcdata(n)%>"><%:Remove%></a></td>
|
||||
<td style="text-align:left; width:10%">
|
||||
<form method="post" class="inline" action="<%=REQUEST_URI%>">
|
||||
<input type="hidden" name="exec" value="1" />
|
||||
<input type="hidden" name="token" value="<%=token%>" />
|
||||
<input type="hidden" name="remove" value="<%=pcdata(n)%>" />
|
||||
<a onclick="window.confirm('<%:Remove%> "<%=luci.util.pcdata(n)%>" ?') && this.parentNode.submit(); return false" href="#"><%:Remove%></a>
|
||||
</form>
|
||||
</td>
|
||||
<td style="text-align:left"><%=luci.util.pcdata(n)%></td>
|
||||
<td style="text-align:left"><%=luci.util.pcdata(v)%></td>
|
||||
</tr>
|
||||
|
|
@ -169,7 +178,14 @@ end
|
|||
</tr>
|
||||
<% local empty = true; opkg_list(querypat or letterpat, function(n, v, s, d) if filter[n] then return end; empty = false %>
|
||||
<tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
|
||||
<td style="text-align:left; width:10%"><a onclick="return window.confirm('<%:Install%> "<%=luci.util.pcdata(n)%>" ?')" href="<%=REQUEST_URI%>?submit=1&install=<%=luci.util.pcdata(n)%>"><%:Install%></a></td>
|
||||
<td style="text-align:left; width:10%">
|
||||
<form method="post" class="inline" action="<%=REQUEST_URI%>">
|
||||
<input type="hidden" name="exec" value="1" />
|
||||
<input type="hidden" name="token" value="<%=token%>" />
|
||||
<input type="hidden" name="install" value="<%=pcdata(n)%>" />
|
||||
<a onclick="window.confirm('<%:Install%> "<%=luci.util.pcdata(n)%>" ?') && this.parentNode.submit(); return false" href="#"><%:Install%></a>
|
||||
</form>
|
||||
</td>
|
||||
<td style="text-align:left"><%=luci.util.pcdata(n)%></td>
|
||||
<td style="text-align:left"><%=luci.util.pcdata(v)%></td>
|
||||
<td style="text-align:right"><%=luci.util.pcdata(s)%></td>
|
||||
|
|
@ -191,6 +207,6 @@ end
|
|||
<% end %>
|
||||
</fieldset>
|
||||
<% end %>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
||||
|
||||
<%+footer%>
|
||||
|
|
|
|||
Loading…
Reference in a new issue