Introduce two new properties for page nodes to allow for declaratively
specifiying system dependencies which is useful to e.g. make certain
views depend on specific uci values or the presence of certain files.
The recognized properties are:
- `uci_depends` - a nested table in one of the following forms:
1) `{ config = { section = { option = "exact_value" } }`
2) `{ config = { section = { option = true } }`
3) `{ config = { section = "exact_type" } }`
4) `{ config = { section = true } }`
5) `{ config = true }`
Depending on the declaration, the uci option or section type must either
match the given "exact_value" or "exact_type" values or be a non-nil value
in case boolean "true" is specified.
- `file_depends` - a flat lists of file paths that must be accessible
If a path listed in `file_depends` points to a directory, that directory
must be not empty, otherwise it suffices if the path exists.
Examples:
- Only display the node if an /etc/config/wireless file exists with
a "config wifi-device radio0" section.
node = page(...)
node.uci_depends = { wireless = { radio0 = "wifi-device" } }
- Only display the node when swconfig is installed.
node = page(...)
node.file_depends = { "/sbin/swconfig" }
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The dispatcher failed to propagate the child target post security
requirements to the arcombine() dispatch target so far - fix this
by recursively testing the post security requirements.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Introduce a new view() target for CBI dispatch nodes, as long with the
required template and plumbing work in luci.js to allow requiring view
classes.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Extend the attr() and ifattr() template functions to take an optional
further parameter indicating that the passed value should not be escaped.
This is needed for cases where the input already is escaped through
other means, e.g. when the value was previously filtered through the
striptags() template helper.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Use the same ordering logic for building the dispatch tree and for
querying the children of a given node.
Fixes#2338.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This feature was never used, is hardly documented and appears to be
designed to fiddle with the internal dispatch tree state.
Given that, simply drop the related code to simplify the dispatcher
class somewhat.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Send a custom LuCI X-Header to indicate that a login is required to access
the requested resource. This is mainly intended for xhr.js to be able to
intercept such responses and popup an authentication dialog.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The i18n.loadc() function has been a no-op since almost six years so it
makes no sense to invoke it anymore.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The firstnode target will dispatch the request to the first eligible menu
subtree node that is not a redirect to another node, a special action or
post security enabled page.
That action is specifically useful for global category toplevel nodes like
"admin" which are supposed to simply direct access to the first installed
page node without having to hardcode specific choices.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Per the discussion in https://github.com/openwrt/luci/issues/869, make
luci-base sufficient to login, logout, and review and apply or revert
uci changes. This allows most luci-app-xxx to work without having
luci-mod-admin-full installed.
It has been tested with some apps and not luci-mod-admin-full, as well
as with luci-mod-admin-full (to make sure the usual case doesn't break).
Instead of creating a new module namespace (e.g. 'Base') we reduce the
opportunities for breakage by having luci-base take over the 'shell' of
the 'Administration' (admin/....) namespace.
Since admin is assumed by all current building LuCI components (including
Freifunk), this doesn't introduce the 'Administration' tab into any
situation where it would not already be present (but includes it where it
was before).
We also add a "Component not installed" page to avoid fatal errors and
backtrace when e.g. luci-mod-admin-full is not installed.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
Rework the apply confirmation mechanism to be session agnostic in order to
circumvent cross domain restrictions which prevent the JS code from issuing
apply confirm requests in some cases, e.g. when changing the LAN IP.
Confirmation calls may now be done from unauthenticated pages, as long as a
matching confirmation token is sent along with the request.
The reasoning behind this is that there is little security impact in
confirming pending apply sessions, especially since those sessions can only
be initiated while being authenticated.
After this change, LuCI will now launch a confirmation process on every
rendered page when a rollback is pending. The confirmation will happen
regardless of whether the user is logged in or not, or if the current page
is a CBI form or static template.
A confirmation request now also requires a random one-time token which is
rendered along with the confirmation JavaScript code in order to succeed.
This token is not meant to provide security but to ensure that the confirm
was triggered from an interactive browser session and not some background
HTTP requests that happened to end up in the admin ui.
As a consequence, the different apply/confirm/rollback code paths in CBI
maps and the UCI change/revert pages have been consolidated into one common
implementation residing in the common global theme agnostic footer template.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Sync our coxpcall() implementation to the newest upstream version in order to
get access to the inner backtrace information and propagate these traces to
the browser in luci.dispatcher.dispatch().
This should make tracking down runtime errors much easier.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
http.getenv("SCRIPT_NAME") fail if it's not provided. This can happen in the login screen when we don't have any script to load.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
A simple scan of the code indicates that currently no code in the repo
is accessing the sysauth= cookie
Closesopenwrt/luci#1555
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Switch to rpcd based uci apply/rollback workflow which helps to avoid soft-
bricking devices by requiring an explicit confirmation call after config
apply.
When a user now clicks "Save & Apply", LuCI first issues a call to uci apply
which commits and reloads configuration, then goes into a polling countdown
mode where it repeatedly attempts to call uci confirm.
If the committed configuration is sane, the confirm call will go through and
cancel rpcd's pending rollback timer.
If the configuration change leads to a loss of connectivity (e.g. due to bad
firewall rules or similar), the rollback mechanism will kick in after the
timeout and revert configuration files and pending changes to the pre-apply
state.
In order to cover such rare cases where a lost of connectivity is expected
and desired, the user is offered an "unchecked" apply option after timing
out, which allows committing and applying the changes anyway, without the
extra safety checks.
As a consequence of this change, the luci-reload mechanism is now completely
unsused since rpcd uses ubus config reload signals to reload affected
services, which means that only procd-enabled services will receive proper
reload treatment with the new workflow.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Support a new boolean property `cors` which - if set to true - causes the
dispatcher to positively answer CORS OPTIONS requests after authentication
without actually running the dispatching target.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This 404 error template rendering has been broken for a long time due to bad
function environment level in luci.template when invoking the rendering from
the toplevel dispatcher context.
Fix this issue by adding a local function indirection, essentially adding an
additional stack frame.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
It is possible to inject unescaped markup using a double encoded null byte
via PATH_INFO on certain leaf nodes.
Since there is no legitimate reason to handle null bytes in any part of the
requested url, simply skip over such bytes when parsing the PATH_INFO value.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The cbi class will react on an empty "cbi.submit" parameter as well so we
must intercept GET requests using that too.
Fixes 186e690c0 ("luci-base: dispatcher: reject non-POST requests with any cbi.submit value")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The lookup function takes multiple, possibly malformed path fragments,
splits them on slashes, constructs a temporary path and looks up the
result in the dispatch tree.
If a matching node has been found, the function will return both the
node reference and the canonical url to it.
If no corresponding node is found, the function returns nil.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while
the dispatcher only required POST for cbi.submit == 1, the CSRF token
protection could be bypassed.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Introduce a new template property FULL_REQUEST_URI which returns the full
canonicalized request URL built from SCRIPT_NAME, PATH_INFO and QUERY_STRING.
This new property is safer to use compared to using the raw REQUEST_URI CGI
environment variable directly as this value is essentially untrusted user
input which may contain embedded escaped slashes, double forward slashes and
other oddities allowing XSS exploitation or request redirection.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Properly deal with client accept languages containing a culture identifier
such as "zh-CN" or "pt-BR".
Fixes#1226.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Some controller actions like the ones in "servicectl" require authentication
but are not meant to provide an authenticator because they're only invoked
by scripts.
Rework the dispatcher logic to handle this situation and only bail out if
an authenticator name other than "htmlauth" is set.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Drop the custom credentials checking in favor to perform proper session
logins via rpcd. This is needed to properly setup ACLs when spawning
rpcd sessions in order to support direct client side ubus access in the
future.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
In some cases it is useful to be able to override the template used for the
sysauth login dialog.
Add a new property "sysauth_template" which allows overriding the template
name from controller files.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Fall back to default language if "auto" is configured, but none provided by
the browser matches.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Fix links to point into Github repo instead of luci.subsignal.org
- the hint to file a bug in dispatcher
- footers of Bootstrap and Firefunk themes
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Instead of relying on the connect-before-setuid hack, ship a proper
acl definition file whitelisting the procedures that LuCI requires
on its non-root pages.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Now that we don't have an url token anymore, '/cgi-bin/luci' becomes a valid
url while cookies are restricted to only '/cgi-bin/luci/' and below.
In order to ensure that the first request after login refers to a path
covered by the authentication cookie, change build_url() to always append
a trailing slash if we're referring to the base url.
This should fix the login problems mentioned in #516.
While we're touching the dispatcher, also remove remaining url token code.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Now that sensitive urls require post requests and only accept them if a valid
security token is sent along the request, we can drop the global random url
token to improve LuCI usability.
The main improvement is the ability to use multiple tabs with the same login
session, but also deep linking to specific urls without the need for another
login becomes feasible, e.g. for documentation purposes.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
* Add a generic helper function to check need for post / csrf token validation
* Remove custom token verification in cbi targets
* Support requiring post security depending on specific submit parameters,
usable through post_on() action
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Add the dispatcher infrastructure to restrict certain routes to POST
requests only in conjunction with verification of CSRF tokens.
This is the first step to get rid of the CSRF token in the url in favor
to tokens embedded in forms.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Redirect to the canonical url after login and redirect to an url without
security token if the session expired. Also make sure that the login page
is served with status code 403, not 200 to give ajax calls a chance to
detect expired sessions.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
