* add HTTP/2-only supporting providers: Mullvad, Digitale-Gesellschaft, dns.sb and Rubyfish.cn
* switch default provider from Google to Cloudflare
* add IPv6 addresses for bootstrap resolvers for Google DNS
* add secondary bootstrap resolver (Cloudflare's) to all providers with a single bootstrap resolver
* modify model/cbi file to show HTTP/2-only providers (and help texts) on HTTP/2-supporting systems
Signed-off-by: Stan Grishin <stangri@melmac.net>
The mac section for the static lease doesn't correctly handle when multiple mac are set for a rule.
Fixes: #4291
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
(cherry picked from commit 6c9a6c334e)
This calls striptags() on the hostname to prevent any XSS over the
hostname. This should fix CVE-2021-33425 as far as I understood it.
If someone adds some Javascript into system.@system[0].hostname it would
have been directly added to the page, this prevents the problem.
This can only be exploited by someone being able to modify the uci
configuration, normally a user with such privileges could also just
modify the webpage.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5cbd79d7e3)
When an upstream NS returns PTR domain names containing HTML, it is
added verbatim to the connection status table.
Prevent this issue by HTML escaping any values in the source and
destination columns.
Fixes: CVE-2021-32019
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 3c66c5b165)
Serialize the uci list value into a space separated string before passing
it to String.format() for HTML escaping. Without that change, empty strings
were returned whenever the underlying uci get operation yieled an array.
Fixes: #4993
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 5c792aefc7)
Implement two new text "options" for UCI system config, intended to
help humans describe the device.
"system.description" is a short, single-line description suitable for
selector UIs in remote administration applications, or remote UCI (over
ubus RPC), etc. It would also be suitable as a default for LLDP/SNMP
"system description".
"system.notes" is a multi-line, free-form text field that can be used in
any way the user wishes, e.g. to hold installation notes, or unit serial
number and inventory number, location, etc.
Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
Support negative prefix length in the `cidr`, `cidr4`, `cidr6`, `ipmask`,
`ipmask4` and `ipmask6` data types when an optional truish flag is passed
to the datatype name.
Ref: #4812
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit cd06e708d8)
Fix parsing of DUID-LLT's in duid2ea. Unlike DUID-LL's, DUID-LLT's have a 32-bit time field between the hardware type and link-layer address fields, see RFC 3315 Sections 9.2 and 9.4:
https://tools.ietf.org/html/rfc3315#section-9.2https://tools.ietf.org/html/rfc3315#section-9.4
therefore, the link-layer address starts at offset 16 instead of 8.
Signed-off-by: Niels Widger <niels@qacafe.com>
(cherry picked from commit 8920a2bf71)
Better handling of Type of Service (IPv4), Traffic Class (IPv6) values
Optional value Local endpoint address is detected and pre-filled in the interface
Signed-off-by: Jan Bětík <jan.betik@svine.su>
I'm running several GRE tunnels to different locations and
the option to see and to configure GRE tunnels in LuCI was not
crucial but nice to have.
Signed-off-by: Jan Bětík <jan.betik@svine.su>
The parent node of the current li might be null after collapsing the
dropdown, so resolve the parent ul early to avoid passing null to
subsequent calls.
Fixes clearing custom input values in DynamicList dropdowns.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit b8d2bcd432)
Store multiple space separated custom address values as separate uci
list items in the configuration.
Fixes: #4822
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit b60be8cfd8)
