Ensure to not display public key comments verbatim in order to prevent
injection of markup.
Reported-by: Eric McDonald <ericmcdonald@protonmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 944b55738e)
Do not emit native collectd.conf boolean false options if the corresponding
uci option is unset in order to honour collectd's implicit defaults.
This fixes certain options, such as the memory plugins `ValuesAbsolute`,
being without effect if declared as default-enabled in the related plugin
uci forms.
Fixes: #5777
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit f16037cec5)
Under some circumstances, ubus RPC requests may be initiated while LuCI is
still resolving the `rpcBaseURL` value. In this situation, the `target`
argument of the `request()` call will be a pending promise object which
results in an invalid URL when serialized by `expandURL()`, leading to an
`Failed to execute 'open' on 'XMLHttpRequest': Invalid URL` exception.
This commonly occured on the index status page which immediately initiates
ubus RPC calls on load to discover existing status page partials.
Solve the issue by filtering the given `target` argument through
`Promise.resolve()` before expanding the URL and initiating the actual
request.
Fixes: #3747
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 5663fd596b)
The OpenVPN file view uses a dummy Map() instance to render the breadcrumb
template which triggers a uci permission error since the view is being
rendered by a form() action which does not set up the expected permission
flags. CBI Map() instances should only be used for cbi() dispatch targets.
Solve the issue by appending the breadcrumb template directly to the
SimpleForm() instance and by removing the redundant dummy Map() instance.
Fixes: #4370
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 18b1130711)
Filter the init script name parameter through fs.basename() to avoid
invoking paths outside of /etc/init.d/.
Reported-by: Graham R <gr348@cam.ac.uk>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 8752701b0d)
Do not fallback to .innerHTML if DOMParser() failed for whatever reason.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 63d9bcb682)
Instead of relying on .innerHTML which executes embedded script code to
parse a given HTML fragment, use dom.parse() which utilizies DOMParser()
internally in order to extract textContent in a safe manner.
Fixes: FS#4199
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=4199
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 993151504e)
Only treat the given identifier as Linux netdev name if we can find a
corresponding entry in the device info cache and do not consider strings
starting with "wlan", "ath" or "wl" to be existing devices.
This fixes incorrectly adding wireless sections as ifnames to network
interfaces when the wifi-iface section name begins with one of the
`iface_patterns_wireless` patterns.
Fixes: #5069
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit d4092b15ce)
Remove ACL file accidentally added by ecd49247eb.
There is no luci-app-dawn in 19.07, so no ACL is needed.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
The new API unifies all human readable responses in the `detail` field
to follow the newly used framework.
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 2a29911121)
The content is the same response as for `/api/latest.json` but
statically hosted by a webserver rather than Python generated.
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit a672875402)
If the upgrade server API does not respond, show an error message.
Fix#5222
While at it, minimal code linting
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit ff24b78c80)
In JavaScript (other than in Python) an empty array is considered `true`
within if statements. Fix this by checking for the array length rather
than its existence.
This fixes the issue of an empty dropdown menu in case the user is
running the latest release.
Signed-off-by: Paul Spooren <mail@aparcar.org>
* add HTTP/2-only supporting providers: Mullvad, Digitale-Gesellschaft, dns.sb and Rubyfish.cn
* switch default provider from Google to Cloudflare
* add IPv6 addresses for bootstrap resolvers for Google DNS
* add secondary bootstrap resolver (Cloudflare's) to all providers with a single bootstrap resolver
* modify model/cbi file to show HTTP/2-only providers (and help texts) on HTTP/2-supporting systems
Signed-off-by: Stan Grishin <stangri@melmac.net>
The mac section for the static lease doesn't correctly handle when multiple mac are set for a rule.
Fixes: #4291
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
(cherry picked from commit 6c9a6c334e)
This calls striptags() on the hostname to prevent any XSS over the
hostname. This should fix CVE-2021-33425 as far as I understood it.
If someone adds some Javascript into system.@system[0].hostname it would
have been directly added to the page, this prevents the problem.
This can only be exploited by someone being able to modify the uci
configuration, normally a user with such privileges could also just
modify the webpage.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5cbd79d7e3)
When an upstream NS returns PTR domain names containing HTML, it is
added verbatim to the connection status table.
Prevent this issue by HTML escaping any values in the source and
destination columns.
Fixes: CVE-2021-32019
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 3c66c5b165)
Serialize the uci list value into a space separated string before passing
it to String.format() for HTML escaping. Without that change, empty strings
were returned whenever the underlying uci get operation yieled an array.
Fixes: #4993
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 5c792aefc7)
Implement two new text "options" for UCI system config, intended to
help humans describe the device.
"system.description" is a short, single-line description suitable for
selector UIs in remote administration applications, or remote UCI (over
ubus RPC), etc. It would also be suitable as a default for LLDP/SNMP
"system description".
"system.notes" is a multi-line, free-form text field that can be used in
any way the user wishes, e.g. to hold installation notes, or unit serial
number and inventory number, location, etc.
Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
