The applyreboot page doesn't reload the page onload of the loding gif. This adds the right function.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
- Use native rpcd uci changes format instead of incompletely converting
back and forth between the old and the new format
- Rework uci changelog template to print the equivalent uci commands
for the various changes
- Rework theme headers to properly count the uncomitted changes
- Rework theme CSS to properly style new changelog
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This improve applyreboot page and fix problem with luci-nginx that doesn't refresh the page when the router reboot.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
This patch corrects "to get" to "to be" in apply_widget.htm
This shell command was used to find and make the change in
all impacted files:
find . -type f -exec sed -i 's/Waiting for configuration to get applied/Waiting for configuration to be applied/g' {} +
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
Line attenuation, signal attenuation, noise margin and aggregate transmit power really need to show
decimal digits. Fixes commit 88713f6 from issue #2003 due to excess changes from %s to %d.
Rework the apply confirmation mechanism to be session agnostic in order to
circumvent cross domain restrictions which prevent the JS code from issuing
apply confirm requests in some cases, e.g. when changing the LAN IP.
Confirmation calls may now be done from unauthenticated pages, as long as a
matching confirmation token is sent along with the request.
The reasoning behind this is that there is little security impact in
confirming pending apply sessions, especially since those sessions can only
be initiated while being authenticated.
After this change, LuCI will now launch a confirmation process on every
rendered page when a rollback is pending. The confirmation will happen
regardless of whether the user is logged in or not, or if the current page
is a CBI form or static template.
A confirmation request now also requires a random one-time token which is
rendered along with the confirmation JavaScript code in order to succeed.
This token is not meant to provide security but to ensure that the confirm
was triggered from an interactive browser session and not some background
HTTP requests that happened to end up in the admin ui.
As a consequence, the different apply/confirm/rollback code paths in CBI
maps and the UCI change/revert pages have been consolidated into one common
implementation residing in the common global theme agnostic footer template.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Also add a hidden type password field to prevent browser autocompleters
from entering the login passwords into fields liek the wireless WPA key
field.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Add a "data-description" attribute to CBI fields which have a description
set, this allows responsive design themes to render a field description
when decomposing the table grid.
Also reuse the precalculated "typename" property if it exists, instead of
deriving it from the template name yet again.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The previous refactoring of the template caused the row stripying CSS
classes to be interpolated in such a way, that a separating space to
previous CSS classes was missing, leading to not rendered row names
and other side effects.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This commit adds option to disable scan for 40mhz channel, permit to tweak
beacon interval and other advanced settings.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
[fix whitespace, add range constraint to dtim_period, add dtim_period
to local vars, reword commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The previous approach of synchroneously scanning while building the result
page was suboptimal since it frequently led to connection resets when
accessing LuCI via wireless.
It also exhibited problems when accessed via SSL on recent Firefox versions
where the page were only loaded partially.
Rework the wireless scanning to gather scan results in a background process
and put them into the ubus session data area where they can be readily
accessed without causing network interruptions.
Subsequently rebuild the wireless join page to use XHR polling to
incrementally fetch updated scan results.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
In some cases the hidden internal device field was not reset, e.g. after
aborting a wifi scan and using the browser back buttons to navigate to the
overview page again.
In such a case, the previous device hidden field was still present and a new
one getting created, causing further wireless scan attempts to get invoked
with multiple radio names as parameter which fails.
Fix this issue by using the new generic cbi_submit() helper any by dropping
the faulty wifi_action() function.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- Make sure that hitting enter in the form hits the CBI save action and not
apply or cancel
- Hide action panel if no actions are available
- CLeanup code
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- Ensure that pressing enter in the form triggers the submit action and
not a cbi skip or cancel
- Hide page actions when empty
- Cleanup code
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- The wifi_big.png / wifi_big_disabled.png icons were used on the wireless
overview page which now uses badges with normal sized icons
- The encryption.png / encryption_disabled.png icons were never used at all
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Add missing translations and update existing not quite correct translations.
Replaced hyphens on em dashes where it is required by the Russian rules.
Signed-off-by: Anton Kikin <a.kikin@tano-systems.com>
Some CBI map models, mainly the Network -> VLAN page, expect a valid
previous section ID in their Section:create() callback.
Previous refactoring of the tblsection markup broke this behaviour as
the "section" loop variable was accidentally localized, causing it to
be undefined outside of the loop body which caused the section add
button and name input fields to get rendered with a wrong "name"
attribute.
Fix this by moving the "section" variable declaration out of the loop
and by readding references to it in the non-anonymous section add case.
Fixes FS#1657
Fixes 002c4d1d5 ("luci-base: add "Name" label to autogenerated title column")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Remove the guessing of primary interfaces for now as we cannot yet properly
track parent / child interface relations.
Instead, add tooltips to the interface icons displaying detailed physical
layer information per netdev.
For dynamic or true alias interfaces (using "@" notation), skip the
reporting of MAC and traffic stats.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Some status requests can take quite some time to finish, the LuCI DSL
status information in particular.
Since the polling loop code already takes care of not relaunching
requests which are already running, increase the per iteration timeout
to up to five times the poll interval.
This should be sufficient to let most operations complete.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Convert interface enable, disable and delete actions to proper cbi
operations so that we can benefit from the apply/rollback workflow
when performing critical interface operations.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
JSON.parse() is supported on all modern browsers and a far better
solution than the hakish and potentially dangerous eval().
Also calculate the duration of request and pass it as 3rd argument to the
callback function, this makes it easier to calculate request delays or
poll intervals in code using XHR.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Commit c0de036b3 ("treewide: always include cbi.js") improperly removed the
cbi.js script include from header.htm, leaving behind the string dictionary.
Move the JSON dictionary to the parent <form> element and delete the
leftover </script> element.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Include cbi.js in the main header template like it is done for xhr.js and
remove the page specific includes.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Updated with the latest synchronization of the translation, corrections and additions translation.
Signed-off-by: Yurii yuripet@gmail.com
Squashed 2 commits
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
If a firmware image is not valid then url generation for the config tab
is wrong. To fix this use the luci.dispatcher.build_url function.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If an uploaded backup.tar.gz is not valid we will not get a respond from
LuCI. The system will perform a reboot without applying the "tar.gz"
even though the backup import failed.
To fix this check if the backup archive is valid with the command
"gunzip -t <archive>" and if the validation fails render the flashops page
with a hint. On the other hand apply the backup archive and perform a
reboot as before.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This fix problem with empty controller, the check function will never stop to
check if the device finish to reboot and we set more tries to wait the router
for a longer times.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
[reworked markup, simplified logic, removed superfluous alert]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Rework markup and logic of the wireless network status indicator to match
that of the interface status widget.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Merge the DHCP lease status code of the status overview and DHCP/DNS pages
into a single shared partial template.
Also remove some redundant markup on the index page and wireless assoc list
templates.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Attempt to derive a MAC from the DHCPv6 lease DUID and use it to look up
a host hint. If a hint is found, add it to the lease information.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
In some cases we might get status information for more ports than which are
actually usable, prevent overflowing the port status row in this case.
Reported-at: https://forum.lede-project.org/t/x/15897/14
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
With #e5ba594d77eed77d31d4b9b8c0e86026eb5a5fac the list of the connected device broke up. This fix this problem by creating a proper request link.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Commit 69782ccbc ("luci-base: xhr.js: defer starting poll queue") changed
the way XHR poll queues are started which broke the timing on the realtime
graph pages.
Fix the problem by manually starting the poller after registering the request
handlers.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Merge the assoclist code of the status overview and wireless overview pages
into a single shared partial template.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Globally cleanup template markup to support responsive design changes in
OpenWrt theme.
Rework handling of dynamic status tables, consolidate hand-written markup,
fix small render bugs in various places and annotate tables where needed.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Defer the start of the queue poll loop until the document has been loaded.
This allows all XHR.poll() invocations on the page to register their
handlers before the first batch of requests is made.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
"Content-Type: text/plain; charset=UTF-8" was wrote twice in each
of base.po and firewall.po, and one was an incorrect place which
was the cause of the errors.
And, The escape in abbr HTML tag was incorrect, so I fixed it.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
If you delete all ssh keys in the textarea then LuCI will rais an error.
So if you added one ssh-key to the textarea and then you want to delete them
again that is not possbile in LuCI.
To fix this remove "rmempty" attribute and add a remove function which will
called if the textarea is empty.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Merge two italian translations suggested in #1870 and add back two missing
dots accidentially removed from the translations in a previous commit.
Fixes: 588c8618b ("luci-mod-admin-full: fix translation interpolation in JS confirm() calls")
Suggested-by: Ansuel Smith <ansuelsmth@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Use luci.http.write_json() in conjunction with translate() to write out
unescaped translation strings in a manner suitable for interpolation inside
JavaScript.
Fixes#1870
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Also switch one usage of raw '<%_ ... %>' interpolation to '<%: ... %>' in
order to avoid issues with translations using apostrophes.
Globally resnyc translations after the fix.
Fixes#1866.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Also switch the weekday and monthday lists in the firewall rule details to
cbi dropdowns, vastly uncluttering the form.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This commit introduces the required code for a new, markup based dropdown
widget which can be used as a styleable alternative to select boxes or
radio/checkbox button groups.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
AbstractValue descendants may now specify a new optional property `alias`
which refers to a uci option to read/write/remove that differs from the
option name itself.
This is mainly useful for widgets that are toggled based on dependencies,
e.g. for alternating between SingleValue and MultiValue, but which are
intented to write into the same uci option.
Such a setup was previously possible already by overriding the .cfgvalue(),
.write() and .remove() callbacks with custom implementations, but that
required a lot of boiler plate code and was rather fragile.
With the `alias` property, CBI now takes care of the details and tracks
aliased fields within a section accordingly.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- Properly serialize option delete changelogs
- Do not perform a section create if a nil value is passed to set()
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Since the switch to ubus uci operations we do not have a local application-
side cursor cache anymore, instead uci operations happen synchronously in
the rpcd backend server.
This may cause cbi section reorder operations involving multiple elements
to fail, because anonymous section hashes may change due to rehashing
between consecutive ubus uci reorder calls.
In order to avoid that problem, use the ubus uci batch reorder extension,
which allows to pass a complete (or partial) list of section ids in the
desired order in one call, bypassing the volatile section id problem.
Fixes#1844.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Sync our coxpcall() implementation to the newest upstream version in order to
get access to the inner backtrace information and propagate these traces to
the browser in luci.dispatcher.dispatch().
This should make tracking down runtime errors much easier.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
After applying uci configuration, a full map reload is required in many
cases as the anonymous section identifiers might have been rehashed, causing
the rendered map to go out of sync.
To avoid that, add both a full page overlay preventing further page
interaction and let the apply widget forcibly reload the current view once
the operation is complete.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Use a more compact flex layout instead of the tabular display.
Also rename "WAN status" to "Upstream" to avoid future confusion about
wan interfaces vs. defaultroute interfaces.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This fix the strange redirect link, a bug with uwsgi where the controller
is empty and a bug with the revert page showing the apply content empty.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
[drop unrelated revert.html template change]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Referring to this, #1698 , we add architecture info and we show Unknown instead of ?. This is usefull if someone needs to install opkg packages manually.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Mostly convert HTML tables to div based markup to allow for easier styling
in the future. Also change JS accessor code accordingly.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
http.getenv("SCRIPT_NAME") fail if it's not provided. This can happen in the login screen when we don't have any script to load.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Do override the iface section id upon commit to avoid clobbering the resulting
configuration. The manual config sync is not needed anymore after switching
to uncached ubus uci operations.
Fixes#1770.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
On certain environments, mainly with the embedded uhttpd interpreter, the
luci.config class cannot be loaded due to a circular dependency with the
luci.model.uci class.
Break up the dependency by deferring the loading of luci.config in
luci.model.uci until it is actually needed.
Fixes#1803, FS#1553.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
A simple scan of the code indicates that currently no code in the repo
is accessing the sysauth= cookie
Closesopenwrt/luci#1555
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
The check "supports_reset" only covers /proc/mtd partitions. If we have
this the commands checks for names like ubi or rootfs_data. If this is
found the system is possible for a factory reset. But on x86 the
situation is different. We have no /proc/mtd partitions because this
system do not use a bare metall flash.
To solve this issue check if we have an overlay and if so we could do a
factory reset. This could be applied for system which uses bare metal
flash and system which uses FTL or harddisks.
Jffs2reset is the current command used for factory reset. It will try
to find volume "rootfs_data" and if it's mounted will delete all files
under directory /overlay
luci-mod-admin-mini also has check for reset available, but we leave it
alone for now as it uses "mtd -r erase rootfs_data"
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
If log configuration get changed in uci system no new values are applied
until reboot. Add /etc/init.d/log reload to exec option will solve this
issue.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Ship an /etc/init.d/ucitrack for spawning a virtual service with the sole
purpose to track the configurations and dependencies formerly handled by
luci-reload.
Once all LuCI supported services ship with procd compatible init scripts,
the uci track support can be dropped.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- localize variables
- get rid of redirects breaking apply workflow
- auto-adjust unusable channels when switching country
- use apply/rollback workflow when enabling/disabling networks
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Switch to rpcd based uci apply/rollback workflow which helps to avoid soft-
bricking devices by requiring an explicit confirmation call after config
apply.
When a user now clicks "Save & Apply", LuCI first issues a call to uci apply
which commits and reloads configuration, then goes into a polling countdown
mode where it repeatedly attempts to call uci confirm.
If the committed configuration is sane, the confirm call will go through and
cancel rpcd's pending rollback timer.
If the configuration change leads to a loss of connectivity (e.g. due to bad
firewall rules or similar), the rollback mechanism will kick in after the
timeout and revert configuration files and pending changes to the pre-apply
state.
In order to cover such rare cases where a lost of connectivity is expected
and desired, the user is offered an "unchecked" apply option after timing
out, which allows committing and applying the changes anyway, without the
extra safety checks.
As a consequence of this change, the luci-reload mechanism is now completely
unsused since rpcd uses ubus config reload signals to reload affected
services, which means that only procd-enabled services will receive proper
reload treatment with the new workflow.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The previous attempt to fix authentication broke login functionality so
rework the code once again, this time with referencing helper functions
directly via the controller scope.
Furthermore, properly expose luci.sys.wifi.getiwinfo() and luci.ip.
For getiwinfo(), the RPC wrapped function accepts one further optional
parameter specifying the operation to invoke on the iwinfo instance.
If no operation is specified, a summary object containing all info
without country and scan list is returned.
Example to obtain iwinfo summary object:
curl --cookie sysauth=... \
--data '{"method": "wifi.getiwinfo", "params": ["wlan0"]}' \
"http://192.168.1.1/cgi-bin/luci/rpc/sys"
Example to obtain iwinfo scan list:
curl --cookie sysauth=... \
--data '{"method": "wifi.getiwinfo", "params": ["wlan0", "scanlist"]}' \
"http://192.168.1.1/cgi-bin/luci/rpc/sys"
The exposed luci.ip class uses a similar approach to allow invoking
instance methods on cidr objects. The new(), IPv4(), IPv6() and MAC()
constructors accept two further optional arguments, with the first
specifying the instance method to invoke and the second the value to
pass to the instance method.
Example to get list of IPv4 neighbours (ARP entries):
curl --cookie sysauth=... \
--data '{"method": "neighbors", "params": [{"family": 4}]}' \
"http://192.168.1.1/cgi-bin/luci/rpc/ip"
Example to add 100 hosts to a network address:
curl --cookie sysauth=... \
--data '{"method": "IPv4", "params": ["192.168.0.1", "255.255.255.0", "add", 1000]}' \
"http://192.168.1.1/cgi-bin/luci/rpc/ip"
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Internet Explorer 11 requires the timeout to be applied after the open()
call, otherwise an invlaid state exception will be raised
Fixes aa6c97154 ("luci-base: extend xhr.js")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Show the correct wifi chip identification in case iwinfo
recognises the chip.
So far the wifidev.get_i18n function has practically always
returned just "Generic", but use iwinfo.hardware_name to
fetch the name.
In case iwinfo returns the default "Generic MAC80211", there
is a double 80211 in the final string, which is a cosmetic bug.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Localize the `authenticatior()` and `session_retrieve()` functions into the
`index()` function scope so that they're retained when extracting the
function into the dispatcher bytecode cache.
Also allow access to the global scope since upvalues do not work reliably
due to the out-of-context byte code caching of index functions.
Fixes https://github.com/openwrt/luci/issues/1300#issuecomment-381352765
Fixes feefc600e ("luci-mod-rpc: rework authentication and session handling")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
When reading the configured mac address of the static lease, filter it
through luci.ip.checkmac() to canonicalize and uppercase the value for
mapping it against the combo box host hints.
Fixes#1772.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Support a new boolean property `cors` which - if set to true - causes the
dispatcher to positively answer CORS OPTIONS requests after authentication
without actually running the dispatching target.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Decode the HTTP message bodies of any request carrying a Content-Length
header, not just those in POST requests.
This allows handling parameters in other methods, OPTIONS in particular.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Ensure that the (table) length of a file upload value has nonzero length
by initializing the first table index with the file name.
This fixes tests in the form
x = luci.http.formvalue(...)
if x and #x > 0 then ... end
Fixes#1763.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Ship an ACL definition for granting full read/write access to uci
configuration files via ubus rpc. This is a precondition for enabling
uci session isolation later on.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Restore the old luci.http behaviour of converting repeated POST params into
single tables holding all values instead of letting each repeated parameter
overwrite the value of the preceeding one.
Fixes, among other things, the handling of CBI dynamic list values.
Fixes#1752
Fixes 59dea0230 ("luci-base: switch to lucihttp based POST data processing")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Introduce luci.model.uci.set_session_id() and luci.model.uci.get_session_id()
to set and get the effective session ID respectively.
When a session ID is set, it is sent as `ubus_rpc_session` attribute to rpcd,
causing it to use per-session change directories, isolating LuCI changes from
the global system uci state.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
LuCI itself now uses ubus calls to interact with uci configuration while
the remaining direct libuci-lua users have been updated to either depend
on the binding library or to use luci.model.uci.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Also adjust the dependencies of components depending on these classes and
flatten the namespace from luci.http.protocol.* to luci.http.*
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
With only the decoder routines remaining in luci.http.protocol, it makes no
sense to keep the low level protocol class around, so fold the remaining code
into the central luci.http class.
Also adjust the few direct users of luci.http.protocol accordingly.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- Rewrite getcookie() to use liblucihttp header value parsing
- Rewrite setfilehandler() to use local variables and have cleaner code
- Fix build_querystring() to actually *en*code the given params
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This reverts commit ad7dc4a492.
Since we're using liblucihttp now, that library is the appropriate place to
add such decoding helper functions.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Use the liblucihttp provided multipart and x-www-urlencoded body parsers
and drop the old Lua parsing code.
The C based data parsers are way faster than their old Lua counterparts
while producing less string garbage and more correct results.
While refactoring the luci.http.protocol code, also drop unused functions
and dead code, heavily reducing the module size.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This 404 error template rendering has been broken for a long time due to bad
function environment level in luci.template when invoking the rendering from
the toplevel dispatcher context.
Fix this issue by adding a local function indirection, essentially adding an
additional stack frame.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Instead of attempting to access the request environment directly (which does
not work anyway using the CGI SGI), use the already sanitized
dispatcher.context.request property to print out the not found url.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
It is possible to inject unescaped markup using a double encoded null byte
via PATH_INFO on certain leaf nodes.
Since there is no legitimate reason to handle null bytes in any part of the
requested url, simply skip over such bytes when parsing the PATH_INFO value.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The C implementations of urlencode and urldecode are considerably faster
than their current Lua counterparts.
On an AMD Geode system, the C variant is up to ten times faster when
decoding strings and up to four times faster when encoding them.
The functions are also designed to only allocate new strings when any
actual changes are required, otherwise they reuse the existing input
strings, reducing the overal memory usage somewhat.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The value of cachesize is hardcoded to 10000 in
dnsmasq-2.79/src/option.c to 10000 max
case 'c': /* --cache-size */
{
int size;
if (!atoi_check(arg, &size))
ret_err(gen_err);
else
{
/* zero is OK, and means no caching. */
if (size < 0)
size = 0;
else if (size > 10000)
size = 10000;
daemon->cachesize = size;
}
break;
}
Tested on Netgear R7800
Signed-off-by: Marc Benoit <marcb62185@gmail.com>
In the case of more powerful routers the default
cachesize value == 150 is too small and can easily
be extended to 1,000's and 10,000's of entries.
It makes sense to make it easy configurable.
Tested on Netgear R7800
Signed-off-by: Marc Benoit <marcb62185@gmail.com>
Fix whitespace, edit the proposed help text.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
The cbi class will react on an empty "cbi.submit" parameter as well so we
must intercept GET requests using that too.
Fixes 186e690c0 ("luci-base: dispatcher: reject non-POST requests with any cbi.submit value")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Update timezone data to 2018d
http://mm.icann.org/pipermail/tz-announce/2018-March/000049.html
In 2018, Palestine starts DST on March 24, not March 31.
Adjust future predictions accordingly.
Casey Station in Antarctica changed from +11 to +08
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Properly propagate the config parameter to the foreach iterator in order
to fix get_first() lookups.
Fixes#1734.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Prevent various XSS vectors by not interpolating field and path values
verbatim into script and html contexts.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Introduce a get_state() function which can be used to access legacy
uci state variables. This is usually not needed anymore but some
packages (mainly mwan3) still rely on this.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Make the hint message more explicit to tell users that the prefix size needs
to be specified as well.
Fixes#1559.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- Use the ubus session.login procedure to authenticate credentials
- Fix testing of allowed usernames
- Support authentication via sysauth cookie
Fixes#1300, #1700, #1711
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Instead of passing the full LuCI request url, pass the relative resolved
request path instead and filter the received value through the lookup()
dispatcher function to only allow paths to actual internal pages.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The lookup function takes multiple, possibly malformed path fragments,
splits them on slashes, constructs a temporary path and looks up the
result in the dispatch tree.
If a matching node has been found, the function will return both the
node reference and the canonical url to it.
If no corresponding node is found, the function returns nil.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Introduce a new function luci.util.shellquote() which encloses the given
string argument in single quotes and escapes any embedded single quote
characters.
This function is intended to be used when interpolating untrusted input
into shell commands.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while
the dispatcher only required POST for cbi.submit == 1, the CSRF token
protection could be bypassed.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
