Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

luci-mod-admin-full: protect clock, flash and opkg ops with submit token

Browse source 
* Use post_on() target to require csrf token verification for modifying actions
* Ensure that package and flash operation handlers guard modifying operations
  with parameter check

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
This commit is contained in:
Jo-Philipp Wich 2015-10-20 21:01:41 +02:00
parent 562c47e5fd
commit b5826f1ffb
4 changed files with 258 additions and 219 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

277
modules/luci-mod-admin-full/luasrc/controller/admin/system.lua
View file

@ -9,12 +9,12 @@ function index()
entry({"admin", "system"}, alias("admin", "system", "system"), _("System"), 30).index = true
entry({"admin", "system", "system"}, cbi("admin_system/system"), _("System"), 1)
entry({"admin", "system", "clock_status"}, call("action_clock_status"))
entry({"admin", "system", "clock_status"}, post_on({ set = true }, "action_clock_status"))
entry({"admin", "system", "admin"}, cbi("admin_system/admin"), _("Administration"), 2)
if fs.access("/bin/opkg") then
entry({"admin", "system", "packages"}, call("action_packages"), _("Software"), 10)
entry({"admin", "system", "packages"}, post_on({ exec = "1" }, "action_packages"), _("Software"), 10)
entry({"admin", "system", "packages", "ipkg"}, form("admin_system/ipkg"))
end
@ -31,7 +31,7 @@ function index()
entry({"admin", "system", "leds"}, cbi("admin_system/leds"), _("<abbr title=\"Light Emitting Diode\">LED</abbr> Configuration"), 60)
end
entry({"admin", "system", "flashops"}, call("action_flashops"), _("Backup / Flash Firmware"), 70)
entry({"admin", "system", "flashops"}, post_on({ exec = "1" }, "action_flashops"), _("Backup / Flash Firmware"), 70)
entry({"admin", "system", "flashops", "backupfiles"}, form("admin_system/backupfiles"))
entry({"admin", "system", "reboot"}, template("admin_system/reboot"), _("Reboot"), 90)
@ -56,7 +56,8 @@ end
function action_packages()
local fs = require "nixio.fs"
local ipkg = require "luci.model.ipkg"
local submit = luci.http.formvalue("submit")
local submit = (luci.http.formvalue("exec") == "1")
local update, upgrade
local changes = false
local install = { }
local remove = { }
@ -76,59 +77,62 @@ function action_packages()
query = (query ~= '') and query or nil
-- Packets to be installed
local ninst = submit and luci.http.formvalue("install")
local uinst = nil
-- Modifying actions
if submit then
-- Packets to be installed
local ninst = luci.http.formvalue("install")
local uinst = nil
-- Install from URL
local url = luci.http.formvalue("url")
if url and url ~= '' and submit then
uinst = url
end
-- Install from URL
local url = luci.http.formvalue("url")
if url and url ~= '' then
uinst = url
end
-- Do install
if ninst then
install[ninst], out, err = ipkg.install(ninst)
stdout[#stdout+1] = out
stderr[#stderr+1] = err
changes = true
end
if uinst then
local pkg
for pkg in luci.util.imatch(uinst) do
install[uinst], out, err = ipkg.install(pkg)
-- Do install
if ninst then
install[ninst], out, err = ipkg.install(ninst)
stdout[#stdout+1] = out
stderr[#stderr+1] = err
changes = true
end
end
-- Remove packets
local rem = submit and luci.http.formvalue("remove")
if rem then
remove[rem], out, err = ipkg.remove(rem)
stdout[#stdout+1] = out
stderr[#stderr+1] = err
changes = true
end
if uinst then
local pkg
for pkg in luci.util.imatch(uinst) do
install[uinst], out, err = ipkg.install(pkg)
stdout[#stdout+1] = out
stderr[#stderr+1] = err
changes = true
end
end
-- Remove packets
local rem = luci.http.formvalue("remove")
if rem then
remove[rem], out, err = ipkg.remove(rem)
stdout[#stdout+1] = out
stderr[#stderr+1] = err
changes = true
end
-- Update all packets
local update = luci.http.formvalue("update")
if update then
update, out, err = ipkg.update()
stdout[#stdout+1] = out
stderr[#stderr+1] = err
end
-- Update all packets
update = luci.http.formvalue("update")
if update then
update, out, err = ipkg.update()
stdout[#stdout+1] = out
stderr[#stderr+1] = err
end
-- Upgrade all packets
local upgrade = luci.http.formvalue("upgrade")
if upgrade then
upgrade, out, err = ipkg.upgrade()
stdout[#stdout+1] = out
stderr[#stderr+1] = err
-- Upgrade all packets
upgrade = luci.http.formvalue("upgrade")
if upgrade then
upgrade, out, err = ipkg.upgrade()
stdout[#stdout+1] = out
stderr[#stderr+1] = err
end
end
@ -168,8 +172,11 @@ function action_packages()
end
function action_flashops()
local sys = require "luci.sys"
local fs = require "nixio.fs"
local http = require "luci.http"
local sys = require "luci.sys"
local fs = require "nixio.fs"
local submit = (http.formvalue("exec") == "1")
local upgrade_avail = fs.access("/lib/upgrade/platform.sh")
local reset_avail = os.execute([[grep '"rootfs_data"' /proc/mtd >/dev/null 2>&1]]) == 0
@ -208,96 +215,108 @@ function action_flashops()
return size
end
--
-- Handle modifying actions
--
if submit then
local fp
luci.http.setfilehandler(
function(meta, chunk, eof)
if not fp then
if meta and meta.name == "image" then
fp = io.open(image_tmp, "w")
else
fp = io.popen(restore_cmd, "w")
local fp
http.setfilehandler(
function(meta, chunk, eof)
if not fp then
if meta and meta.name == "image" then
fp = io.open(image_tmp, "w")
else
fp = io.popen(restore_cmd, "w")
end
end
if chunk then
fp:write(chunk)
end
if eof then
fp:close()
end
end
if chunk then
fp:write(chunk)
end
if eof then
fp:close()
end
end
)
)
if luci.http.formvalue("backup") then
--
-- Assemble file list, generate backup
--
local reader = ltn12_popen(backup_cmd)
luci.http.header('Content-Disposition', 'attachment; filename="backup-%s-%s.tar.gz"' % {
luci.sys.hostname(), os.date("%Y-%m-%d")})
luci.http.prepare_content("application/x-targz")
luci.ltn12.pump.all(reader, luci.http.write)
elseif luci.http.formvalue("restore") then
--
-- Unpack received .tar.gz
--
local upload = luci.http.formvalue("archive")
if upload and #upload > 0 then
luci.template.render("admin_system/applyreboot")
luci.sys.reboot()
end
elseif luci.http.formvalue("image") or luci.http.formvalue("step") then
--
-- Initiate firmware flash
--
local step = tonumber(luci.http.formvalue("step") or 1)
if step == 1 then
if image_supported() then
luci.template.render("admin_system/upgrade", {
checksum = image_checksum(),
storage = storage_size(),
size = (fs.stat(image_tmp, "size") or 0),
keep = (not not luci.http.formvalue("keep"))
})
else
fs.unlink(image_tmp)
luci.template.render("admin_system/flashops", {
reset_avail = reset_avail,
upgrade_avail = upgrade_avail,
image_invalid = true
})
if http.formvalue("backup") then
--
-- Assemble file list, generate backup
--
local reader = ltn12_popen(backup_cmd)
http.header('Content-Disposition', 'attachment; filename="backup-%s-%s.tar.gz"' % {
luci.sys.hostname(), os.date("%Y-%m-%d")})
http.prepare_content("application/x-targz")
luci.ltn12.pump.all(reader, http.write)
return
elseif http.formvalue("restore") then
--
-- Unpack received .tar.gz
--
local upload = http.formvalue("archive")
if upload and #upload > 0 then
luci.template.render("admin_system/applyreboot")
luci.sys.reboot()
return
end
--
-- Start sysupgrade flash
--
elseif step == 2 then
local keep = (luci.http.formvalue("keep") == "1") and "" or "-n"
elseif http.formvalue("image") or http.formvalue("step") then
--
-- Initiate firmware flash
--
local step = tonumber(http.formvalue("step") or 1)
if step == 1 then
if image_supported() then
luci.template.render("admin_system/upgrade", {
checksum = image_checksum(),
storage = storage_size(),
size = (fs.stat(image_tmp, "size") or 0),
keep = (not not http.formvalue("keep"))
})
else
fs.unlink(image_tmp)
luci.template.render("admin_system/flashops", {
reset_avail = reset_avail,
upgrade_avail = upgrade_avail,
image_invalid = true
})
end
return
--
-- Start sysupgrade flash
--
elseif step == 2 then
local keep = (http.formvalue("keep") == "1") and "" or "-n"
luci.template.render("admin_system/applyreboot", {
title = luci.i18n.translate("Flashing..."),
msg = luci.i18n.translate("The system is flashing now.<br /> DO NOT POWER OFF THE DEVICE!<br /> Wait a few minutes before you try to reconnect. It might be necessary to renew the address of your computer to reach the device again, depending on your settings."),
addr = (#keep > 0) and "192.168.1.1" or nil
})
fork_exec("killall dropbear uhttpd; sleep 1; /sbin/sysupgrade %s %q" %{ keep, image_tmp })
return
end
elseif reset_avail and http.formvalue("reset") then
--
-- Reset system
--
luci.template.render("admin_system/applyreboot", {
title = luci.i18n.translate("Flashing..."),
msg = luci.i18n.translate("The system is flashing now.<br /> DO NOT POWER OFF THE DEVICE!<br /> Wait a few minutes before you try to reconnect. It might be necessary to renew the address of your computer to reach the device again, depending on your settings."),
addr = (#keep > 0) and "192.168.1.1" or nil
title = luci.i18n.translate("Erasing..."),
msg = luci.i18n.translate("The system is erasing the configuration partition now and will reboot itself when finished."),
addr = "192.168.1.1"
})
fork_exec("killall dropbear uhttpd; sleep 1; /sbin/sysupgrade %s %q" %{ keep, image_tmp })
fork_exec("killall dropbear uhttpd; sleep 1; mtd -r erase rootfs_data")
return
end
elseif reset_avail and luci.http.formvalue("reset") then
--
-- Reset system
--
luci.template.render("admin_system/applyreboot", {
title = luci.i18n.translate("Erasing..."),
msg = luci.i18n.translate("The system is erasing the configuration partition now and will reboot itself when finished."),
addr = "192.168.1.1"
})
fork_exec("killall dropbear uhttpd; sleep 1; mtd -r erase rootfs_data")
else
--
-- Overview
--
luci.template.render("admin_system/flashops", {
reset_avail = reset_avail,
upgrade_avail = upgrade_avail
})
end
--
-- Overview
--
luci.template.render("admin_system/flashops", {
reset_avail = reset_avail,
upgrade_avail = upgrade_avail
})
end
function action_passwd()

4
modules/luci-mod-admin-full/luasrc/view/admin_system/clock_status.htm
View file

@ -17,8 +17,8 @@
btn.disabled = true;
btn.value = '<%:Synchronizing...%>';
XHR.get('<%=url('admin/system/clock_status')%>',
{ set: Math.floor((new Date()).getTime() / 1000) },
(new XHR()).post('<%=url('admin/system/clock_status')%>',
{ token: '<%=token%>', set: Math.floor((new Date()).getTime() / 1000) },
function()
{
btn.disabled = false;

10
modules/luci-mod-admin-full/luasrc/view/admin_system/flashops.htm
View file

@ -1,6 +1,6 @@
<%#
Copyright 2008 Steven Barth <steven@midlink.org>
Copyright 2008 Jo-Philipp Wich <jow@openwrt.org>
Copyright 2008-2015 Jo-Philipp Wich <jow@openwrt.org>
Licensed to the public under the Apache License 2.0.
-%>
@ -17,7 +17,9 @@
<fieldset class="cbi-section">
<legend><%:Backup / Restore%></legend>
<form method="post" action="<%=REQUEST_URI%>" enctype="multipart/form-data">
<form method="post" action="<%=url('admin/system/flashops')%>" enctype="multipart/form-data">
<input type="hidden" name="exec" value="1" />
<input type="hidden" name="token" value="<%=token%>" />
<div class="cbi-section-descr"><%:Click "Generate archive" to download a tar archive of the current configuration files. To reset the firmware to its initial state, click "Perform reset" (only possible with squashfs images).%></div>
<div class="cbi-section-node">
<div class="cbi-value<% if not reset_avail then %> cbi-value-last<% end %>">
@ -54,7 +56,9 @@
<fieldset class="cbi-section">
<legend><%:Flash new firmware image%></legend>
<% if upgrade_avail then %>
<form method="post" action="<%=REQUEST_URI%>" enctype="multipart/form-data">
<form method="post" action="<%=url('admin/system/flashops')%>" enctype="multipart/form-data">
<input type="hidden" name="exec" value="1" />
<input type="hidden" name="token" value="<%=token%>" />
<div class="cbi-section-descr"><%:Upload a sysupgrade-compatible image here to replace the running firmware. Check "Keep settings" to retain the current configuration (requires an OpenWrt compatible firmware image).%></div>
<div class="cbi-section-node">
<div class="cbi-value">

186
modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
View file

@ -46,17 +46,18 @@ end
<h2 name="content"><%:Software%></h2>
<form method="post" action="<%=REQUEST_URI%>">
<div class="cbi-map">
<div class="cbi-map">
<ul class="cbi-tabmenu">
<li class="cbi-tab"><a href="#"><%:Actions%></a></li>
<li class="cbi-tab-disabled"><a href="<%=REQUEST_URI%>/ipkg"><%:Configuration%></a></li>
</ul>
<ul class="cbi-tabmenu">
<li class="cbi-tab"><a href="#"><%:Actions%></a></li>
<li class="cbi-tab-disabled"><a href="<%=REQUEST_URI%>/ipkg"><%:Configuration%></a></li>
</ul>
<form method="post" action="<%=REQUEST_URI%>">
<input type="hidden" name="exec" value="1" />
<input type="hidden" name="token" value="<%=token%>" />
<fieldset class="cbi-section">
<fieldset class="cbi-section-node">
<% if (install and next(install)) or (remove and next(remove)) or update or upgrade then %>
<div class="cbi-value">
@ -80,7 +81,7 @@ end
<% else %>
<%:No package lists available%>
<% end %>
<input type="button" onclick="location.href='?update=1'" href="#" class="cbi-button cbi-button-apply" style="margin-left:3em" value="<%:Update lists%>" />
<input type="submit" name="update" href="#" class="cbi-button cbi-button-apply" style="margin-left:3em" value="<%:Update lists%>" />
</div>
<% end %>
@ -101,7 +102,7 @@ end
<label class="cbi-value-title"><%:Download and install package%>:</label>
<div class="cbi-value-field">
<input type="text" name="url" size="30" value="" />
<input class="cbi-button cbi-input-save" type="submit" name="submit" value="<%:OK%>" />
<input class="cbi-button cbi-input-save" type="submit" name="exec" value="<%:OK%>" />
</div>
</div>
@ -114,83 +115,98 @@ end
</div>
</fieldset>
</fieldset>
<br />
<h3><%:Status%></h3>
</form>
<ul class="cbi-tabmenu">
<li class="cbi-tab<% if display ~= "installed" then %>-disabled<% end %>"><a href="?display=installed&amp;query=<%=pcdata(query)%>"><%:Installed packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li>
<li class="cbi-tab<% if display ~= "available" then %>-disabled<% end %>"><a href="?display=available&amp;query=<%=pcdata(query)%>"><%:Available packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li>
</ul>
<h3><%:Status%></h3>
<% if display ~= "available" then %>
<fieldset class="cbi-section">
<table class="cbi-section-table" style="width:100%">
<tr class="cbi-section-table-titles">
<th class="cbi-section-table-cell" style="text-align:left">&#160;</th>
<th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th>
<th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th>
</tr>
<% local empty = true; luci.model.ipkg.list_installed(querypat, function(n, v, s, d) empty = false; filter[n] = true %>
<tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
<td style="text-align:left; width:10%"><a onclick="return window.confirm('<%:Remove%> &quot;<%=luci.util.pcdata(n)%>&quot; ?')" href="<%=REQUEST_URI%>?submit=1&amp;remove=<%=luci.util.pcdata(n)%>"><%:Remove%></a></td>
<td style="text-align:left"><%=luci.util.pcdata(n)%></td>
<td style="text-align:left"><%=luci.util.pcdata(v)%></td>
</tr>
<% end) %>
<% if empty then %>
<tr class="cbi-section-table-row">
<td style="text-align:left">&#160;</td>
<td style="text-align:left"><em><%:none%></em></td>
<td style="text-align:left"><em><%:none%></em></td>
</tr>
<% end %>
</table>
</fieldset>
<% else %>
<fieldset class="cbi-section">
<% if not querypat then %>
<ul class="cbi-tabmenu">
<% local i; for i = 65, 90 do %>
<li class="cbi-tab<% if letter ~= i then %>-disabled<% end %>"><a href="?display=available&amp;letter=<%=string.char(i)%>"><%=string.char(i)%></a></li>
<% end %>
<li class="cbi-tab<% if letter ~= 35 then %>-disabled<% end %>"><a href="?display=available&amp;letter=%23">#</a></li>
</ul>
<div class="cbi-section-node">
<% end %>
<table class="cbi-section-table" style="width:100%">
<tr class="cbi-section-table-titles">
<th class="cbi-section-table-cell" style="text-align:left">&#160;</th>
<th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th>
<th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th>
<th class="cbi-section-table-cell" style="text-align:right"><%:Size (.ipk)%></th>
<th class="cbi-section-table-cell" style="text-align:left"><%:Description%></th>
</tr>
<% local empty = true; opkg_list(querypat or letterpat, function(n, v, s, d) if filter[n] then return end; empty = false %>
<tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
<td style="text-align:left; width:10%"><a onclick="return window.confirm('<%:Install%> &quot;<%=luci.util.pcdata(n)%>&quot; ?')" href="<%=REQUEST_URI%>?submit=1&amp;install=<%=luci.util.pcdata(n)%>"><%:Install%></a></td>
<td style="text-align:left"><%=luci.util.pcdata(n)%></td>
<td style="text-align:left"><%=luci.util.pcdata(v)%></td>
<td style="text-align:right"><%=luci.util.pcdata(s)%></td>
<td style="text-align:left"><%=luci.util.pcdata(d)%></td>
</tr>
<% end) %>
<% if empty then %>
<tr class="cbi-section-table-row">
<td style="text-align:left">&#160;</td>
<td style="text-align:left"><em><%:none%></em></td>
<td style="text-align:left"><em><%:none%></em></td>
<td style="text-align:right"><em><%:none%></em></td>
<td style="text-align:left"><em><%:none%></em></td>
</tr>
<% end %>
</table>
<% if not querypat then %>
</div>
<% end %>
</fieldset>
<ul class="cbi-tabmenu">
<li class="cbi-tab<% if display ~= "installed" then %>-disabled<% end %>"><a href="?display=installed&amp;query=<%=pcdata(query)%>"><%:Installed packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li>
<li class="cbi-tab<% if display ~= "available" then %>-disabled<% end %>"><a href="?display=available&amp;query=<%=pcdata(query)%>"><%:Available packages%><% if query then %> (<%=pcdata(query)%>)<% end %></a></li>
</ul>
<% if display ~= "available" then %>
<fieldset class="cbi-section">
<table class="cbi-section-table" style="width:100%">
<tr class="cbi-section-table-titles">
<th class="cbi-section-table-cell" style="text-align:left">&#160;</th>
<th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th>
<th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th>
</tr>
<% local empty = true; luci.model.ipkg.list_installed(querypat, function(n, v, s, d) empty = false; filter[n] = true %>
<tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
<td style="text-align:left; width:10%">
<form method="post" class="inline" action="<%=REQUEST_URI%>">
<input type="hidden" name="exec" value="1" />
<input type="hidden" name="token" value="<%=token%>" />
<input type="hidden" name="remove" value="<%=pcdata(n)%>" />
<a onclick="window.confirm('<%:Remove%> &quot;<%=luci.util.pcdata(n)%>&quot; ?') && this.parentNode.submit(); return false" href="#"><%:Remove%></a>
</form>
</td>
<td style="text-align:left"><%=luci.util.pcdata(n)%></td>
<td style="text-align:left"><%=luci.util.pcdata(v)%></td>
</tr>
<% end) %>
<% if empty then %>
<tr class="cbi-section-table-row">
<td style="text-align:left">&#160;</td>
<td style="text-align:left"><em><%:none%></em></td>
<td style="text-align:left"><em><%:none%></em></td>
</tr>
<% end %>
</table>
</fieldset>
<% else %>
<fieldset class="cbi-section">
<% if not querypat then %>
<ul class="cbi-tabmenu">
<% local i; for i = 65, 90 do %>
<li class="cbi-tab<% if letter ~= i then %>-disabled<% end %>"><a href="?display=available&amp;letter=<%=string.char(i)%>"><%=string.char(i)%></a></li>
<% end %>
<li class="cbi-tab<% if letter ~= 35 then %>-disabled<% end %>"><a href="?display=available&amp;letter=%23">#</a></li>
</ul>
<div class="cbi-section-node">
<% end %>
</div>
</form>
<table class="cbi-section-table" style="width:100%">
<tr class="cbi-section-table-titles">
<th class="cbi-section-table-cell" style="text-align:left">&#160;</th>
<th class="cbi-section-table-cell" style="text-align:left"><%:Package name%></th>
<th class="cbi-section-table-cell" style="text-align:left"><%:Version%></th>
<th class="cbi-section-table-cell" style="text-align:right"><%:Size (.ipk)%></th>
<th class="cbi-section-table-cell" style="text-align:left"><%:Description%></th>
</tr>
<% local empty = true; opkg_list(querypat or letterpat, function(n, v, s, d) if filter[n] then return end; empty = false %>
<tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
<td style="text-align:left; width:10%">
<form method="post" class="inline" action="<%=REQUEST_URI%>">
<input type="hidden" name="exec" value="1" />
<input type="hidden" name="token" value="<%=token%>" />
<input type="hidden" name="install" value="<%=pcdata(n)%>" />
<a onclick="window.confirm('<%:Install%> &quot;<%=luci.util.pcdata(n)%>&quot; ?') && this.parentNode.submit(); return false" href="#"><%:Install%></a>
</form>
</td>
<td style="text-align:left"><%=luci.util.pcdata(n)%></td>
<td style="text-align:left"><%=luci.util.pcdata(v)%></td>
<td style="text-align:right"><%=luci.util.pcdata(s)%></td>
<td style="text-align:left"><%=luci.util.pcdata(d)%></td>
</tr>
<% end) %>
<% if empty then %>
<tr class="cbi-section-table-row">
<td style="text-align:left">&#160;</td>
<td style="text-align:left"><em><%:none%></em></td>
<td style="text-align:left"><em><%:none%></em></td>
<td style="text-align:right"><em><%:none%></em></td>
<td style="text-align:left"><em><%:none%></em></td>
</tr>
<% end %>
</table>
<% if not querypat then %>
</div>
<% end %>
</fieldset>
<% end %>
</div>
<%+footer%>