libs/web: Added several sanity checks to avoid local privilege escalation

libs/web/luasrc/dispatcher.lua

@@ -263,6 +263,13 @@ function createindex_plain(path, suffix)
 	if indexcache then
 		local cachedate = fs.mtime(indexcache)
 		if cachedate and cachedate > fs.mtime(path) then
+
+			assert(
+				sys.process.info("uid") == fs.stat(indexcache, "uid")
+				and fs.stat(indexcache, "mode") == "rw-------",
+				"Fatal: Indexcache is not sane!"
+			)
+
 			index = loadfile(indexcache)()
 			return index
 		end 		
@@ -287,6 +294,7 @@ function createindex_plain(path, suffix)
 	
 	if indexcache then
 		fs.writefile(indexcache, util.get_bytecode(index))
+		fs.chmod(indexcache, "a-rwx,u+rw")
 	end
 end
 

libs/web/luasrc/sauth.lua

@@ -57,7 +57,7 @@ end
 -- @param id	Session identifier
 -- @return		Session data
 function read(id)
-	if not id or not sane() then
+	if not id or not sane(sessionpath .. "/" .. id) then
 		return
 	end
 	clean()
@@ -67,9 +67,11 @@ end
 
 --- Check whether Session environment is sane.
 -- @return Boolean status
-function sane()
+function sane(file)
-	return luci.sys.process.info("uid") == luci.fs.stat(sessionpath, "uid")
+	return luci.sys.process.info("uid")
-	 and luci.fs.stat(sessionpath, "mode") == "rwx------"
+			== luci.fs.stat(file or sessionpath, "uid")
+		and luci.fs.stat(file or sessionpath, "mode")
+			== (file and "rw-------" or "rwx------")
 end