- Rewrite getcookie() to use liblucihttp header value parsing
- Rewrite setfilehandler() to use local variables and have cleaner code
- Fix build_querystring() to actually *en*code the given params
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Use the liblucihttp provided multipart and x-www-urlencoded body parsers
and drop the old Lua parsing code.
The C based data parsers are way faster than their old Lua counterparts
while producing less string garbage and more correct results.
While refactoring the luci.http.protocol code, also drop unused functions
and dead code, heavily reducing the module size.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This 404 error template rendering has been broken for a long time due to bad
function environment level in luci.template when invoking the rendering from
the toplevel dispatcher context.
Fix this issue by adding a local function indirection, essentially adding an
additional stack frame.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Instead of attempting to access the request environment directly (which does
not work anyway using the CGI SGI), use the already sanitized
dispatcher.context.request property to print out the not found url.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
It is possible to inject unescaped markup using a double encoded null byte
via PATH_INFO on certain leaf nodes.
Since there is no legitimate reason to handle null bytes in any part of the
requested url, simply skip over such bytes when parsing the PATH_INFO value.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The cbi class will react on an empty "cbi.submit" parameter as well so we
must intercept GET requests using that too.
Fixes 186e690c0 ("luci-base: dispatcher: reject non-POST requests with any cbi.submit value")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Update timezone data to 2018d
http://mm.icann.org/pipermail/tz-announce/2018-March/000049.html
In 2018, Palestine starts DST on March 24, not March 31.
Adjust future predictions accordingly.
Casey Station in Antarctica changed from +11 to +08
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Properly propagate the config parameter to the foreach iterator in order
to fix get_first() lookups.
Fixes#1734.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Prevent various XSS vectors by not interpolating field and path values
verbatim into script and html contexts.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Introduce a get_state() function which can be used to access legacy
uci state variables. This is usually not needed anymore but some
packages (mainly mwan3) still rely on this.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The lookup function takes multiple, possibly malformed path fragments,
splits them on slashes, constructs a temporary path and looks up the
result in the dispatch tree.
If a matching node has been found, the function will return both the
node reference and the canonical url to it.
If no corresponding node is found, the function returns nil.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Introduce a new function luci.util.shellquote() which encloses the given
string argument in single quotes and escapes any embedded single quote
characters.
This function is intended to be used when interpolating untrusted input
into shell commands.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while
the dispatcher only required POST for cbi.submit == 1, the CSRF token
protection could be bypassed.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Introduce a new template property FULL_REQUEST_URI which returns the full
canonicalized request URL built from SCRIPT_NAME, PATH_INFO and QUERY_STRING.
This new property is safer to use compared to using the raw REQUEST_URI CGI
environment variable directly as this value is essentially untrusted user
input which may contain embedded escaped slashes, double forward slashes and
other oddities allowing XSS exploitation or request redirection.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Some applications, e.g. dnsmasq, do not allow hostnames starting with an
underscore, therefor extend the existing hostname datatype validator with
a `strict` which disallows a leading underscore.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Switch luci.model.uci to use ubus uci calls instead of driving libuci-lua
directly.
This prepares support for more advanced features such as per-session change
isolation and configuration rollback on errors.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* enhance the checklib function in util.lua to check the 'fullpathexe'
as well, e.g. this fixes runtime errors on the dhcp/dns template in
environments without dnsmasq
Signed-off-by: Dirk Brenken <dev@brenken.org>
Use the new luci.ip MAC address facilities to parse and verify MAC addresses
in a common way, instead of relying on various ad-hoc solutions.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The /etc/ethers file may contain any number of white space characters
between the mac address and the IP/hostname field, so extend the pattern
to allow for that.
Man ethers(5) also states that the IP field may be a symbolic hostname,
so test whether the name is an IP address or hostname before adding it
to the hints structure.
Fixes#1674.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
If IPv6 prefix assignment is disabled, the "local-address" structure
might exist, but be empty which causes the adress formatting in the
network model class to bail out.
Verify the completeness of the "local-address" structure before using
it in order to avoid runtime errors.
Fixes#1657.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Keep the ifname and bridge state backup variables in /etc/config/luci to not
pollute /etc/config/network.
Fixes#1655.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
OpenWrt/LEDE introduced the "local-address" field a while back to expose the
effective local host address of the delegated prefix, so use that information
instead of assuming `[prefix]:1`.
Fixes#1484.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
A valid host ID as accepted by netifd must meet the following criteria:
- Is either one of the two special "random" or "eui64" strings
- Or is a valid IPv6 address according to inet_pton(AF_INET6)
- Has the first 64 bit set to zero
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The _wifi_sid_by_ifname() function depends on _wifi_state_by_ifname()
so reorder the private helper functions accordingly to avoid nil value
call attempts.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- fix mapping of ubus wireless state to uci declared vifs
- fix leaking foreign vif info into per-phy iwinfo stats
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Update timezone data to 2017c
http://mm.icann.org/pipermail/tz-announce/2017-October/000047.html
Briefly:
Northern Cyprus switches from +03 to +02/+03 on 2017-10-29.
Fiji ends DST 2018-01-14, not 2018-01-21.
Namibia switches from +01/+02 to +02 on 2018-04-01.
Sudan switches from +03 to +02 on 2017-11-01.
Tonga likely switches from +13/+14 to +13 on 2017-11-05.
Turks & Caicos switches from -04 to -05/-04 on 2018-11-04.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Properly deal with client accept languages containing a culture identifier
such as "zh-CN" or "pt-BR".
Fixes#1226.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The previous implementation of the function only returned ethernet
interfaces because it relied on the AF_PACKET family entries returned
by getifaddrs().
Change the function to simply collect all interface names it sees in
order to avoid missing tunnel interfaces.
Fixes FS#917.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Some controller actions like the ones in "servicectl" require authentication
but are not meant to provide an authenticator because they're only invoked
by scripts.
Rework the dispatcher logic to handle this situation and only bail out if
an authenticator name other than "htmlauth" is set.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Drop the individual calls to nixio.getnameinfo() in luci.sys.net and rely
on the "network.rrdns.lookup" ubus call instead to fetch domain information
within a guaranteed timeout.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Drop a number of redundant functions from luci.sys to shrink the code a bit:
* luci.sys.net.arptable() - replaced by luci.ip.neighbors()
* luci.sys.net.routes() - replaced by luci.ip.routes()
* luci.sys.net.routes6() - replaced by luci.ip.routes6()
* luci.sys.net.deviceinfo() - replaced by nixio.getaddrinfo()
* luci.sys.net.pingtest() - no known user
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Drop the custom credentials checking in favor to perform proper session
logins via rpcd. This is needed to properly setup ACLs when spawning
rpcd sessions in order to support direct client side ubus access in the
future.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Add support for 'ip6ifaceid' option for proto_static in LuCI.
Information about the option:
The option is optional and defaults to '::1'.
Allowed values: 'eui64', 'random', fixed value like '::1' or '::1:2'
When IPv6 prefix (like 'a🅱️c:d::') is received from a delegating
server, the ip6ifaceid suffix (like '::1') is used to form
the IPv6 address ('a🅱️c:d::1') for the interface.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
In some cases it is useful to be able to override the template used for the
sysauth login dialog.
Add a new property "sysauth_template" which allows overriding the template
name from controller files.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Adds support for the fwmark option.
FwMark is a 32-bit fwmark for outgoing packets.
If set to 0 or "off", this option is disabled.
Signed-off-by: Dan Luedtke <mail@danrl.com>
Add datatype 'hexstring' for input validaiton datatypes.
It will accept any hexadecimal string.
(no length validation, as rangelength can be used for that.)
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
The Overview page and Network>Interfaces page currently do not give much information about IPv6, particularly with Prefix Delegated setups. In these setups, ISP will delegate a prefix to the router. Currently LuCI doesn't display this Prefix Delegation from the ISP anywhere. A number of changes was added to this commit:
1) self:_ubus("ipv6-prefix") was extracted and put into protocol.ip6prefix.
2) Network>Interfaces page, if a .ip6prefix is present, show it under Status. (IPv6-PD).
3) On the Overview page, "Type" and "Prefix Delegated" has been added to the IPv6 Network Overview Status:
- Type will display the .proto, similar to the IPv4 case. If a .ip6prefix is present, it'll display a "-pd" at the end of the Type: i.e. dhcpv6-pd vs. dhcpv6.
- If no .ip6prefix is present, it'll do what it does currently, and just show Address, or :: if no address is present.
- If .ip6prefix is present, it'll show the "Prefix Delegated", it'll also hide "Address" if no address is present, else it'll show ifc6.ip6addr as well.
Signed-off-by: Cody R. Brown <dev@codybrown.ca>
The missing parens lead to a wrong expression precedence, causing a runtime
error when attempting to compare nil with a number.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The expiry time in a dnsmasq lease file line may be 0 (i.e.
expiry date = 01/01/1970 00:00:00 GMT) to denote an infinite
lease time, so adjust the code to properly support that.
The expiry attribute of the lease object will be set to "false"
in case of an infinite lease. This is to mimic the odhcp code below.
If the expiry date is not equal to 0, then just do exactly what was
done before (return the os.diff of current time and ts).
Signed-off-by: Cody R. Brown <dev@codybrown.ca>
This should result in the MAC address display being the same
using odhcpd for v4 DHCP as when using DNSMasq for v4 DHCP.
Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
When converting interface names to UCI network names
webadmin fails if there is no UCI network name because
webadmin failed to ensure uciname has a value before
attempting to take a substring.
Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
Do not assume that the "raw" table is present on any system, instead check
/proc/net/ip{,6}_tables_names to determine which iptables tables are available.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Changes:
Saratov, Russia switches from +03 to +04 on 2016-12-04 at 02:00.
This hives off a new zone Europe/Saratov from Europe/Volgograd.
The new zone Asia/Atyrau for Atyraū Region, Kazakhstan, is like
Asia/Aqtau except it switched from +04/+05 to +05/+06 in spring
1999, not fall 1994.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
The expiry time in an odhcpd lease file line may be -1 to denote an infinite
lease time, so adjust the code to properly support that.
The expiry attribute of the lease object will be set to "false" in case of an
infinite lease.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Note that several of the time zones now use a numeric name
that is quoted with < > (e.g. "<+03>-3")
musl 1.1.15 and earlier have a bug with < > quoted time zone names.
Fix for the bug
* has already been patched in musl upstream with
http://git.musl-libc.org/cgit/musl/commit/?id=8ca27ac4bfe73bff785d0c26c1de0da92b55e5c6
* has been committed in LEDE with
671cb35880
* has been submitted to Openwrt as pull request
https://github.com/openwrt/openwrt/pull/163
Key changes in 2016d-2016i:
---------------------------
2016d:
America/Caracas switches from -0430 to -04 on 2016-05-01.
Asia/Magadan switches from +10 to +11 on 2016-04-24.
New zone Asia/Tomsk, split off from Asia/Novosibirsk.
2016f:
Asia/Novosibirsk switches from +06 to +07 on 2016-07-24.
Asia/Novokuznetsk and Asia/Novosibirsk now use numeric time zone
abbreviations instead of invented ones.
2016g:
Turkey switched from EET/EEST (+02/+03) to permanent +03,
effective 2016-09-07. Use "+03" rather than an invented
abbreviation for the new time.
Several zones in Antarctica and the former Soviet Union, along
with zones intended for ships at sea that cannot use POSIX TZ
strings, now use numeric time zone abbreviations instead of
invented or obsolete alphanumeric abbreviations.
2016h:
Asia/Gaza and Asia/Hebron end DST on 2016-10-29, not
2016-10-21. Predict that future fall transitions will
be on the last Saturday of October.
Asia/Colombo now uses numeric time zone abbreviations like "+0530"
instead of alphabetic ones like "IST" and "LKT".
2016i:
Pacific/Tongatapu begins DST on 2016-11-06, ending on
2017-01-15. Assume future observances in Tonga will be
from the first Sunday in November through the third Sunday in
January, like Fiji. Switch to numeric time zone abbreviations
for this zone.
Northern Cyprus is now +03 year round, causing a split in Cyprus
time zones starting 2016-10-30 at 04:00. This creates a zone
Asia/Famagusta.
Antarctica/Casey switched from +08 to +11 on 2016-10-22.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Wireless monitor interfaces usually have no SSID set in their config and
various network model utility functions did not handle this case properly,
mainly while trying to incorperate the SSID string into various description
labels.
Fall back to the internal network id (radioX.networkY) in cases where neither
the SSID nor the BSSID are available.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
In mod metamethod, execute string format under pcall() and rethrow error in
caller context to report caller of function in errors and not the meta
method itself.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Fix the underlying _iface_ignore() function to not ignore virtual interfaces,
in order to let ignore_interface() return true for PPP and similar devices.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Check the location of the odhcpd leasefile from /etc/config/dhcp
via uci. Fallback to the default location.
This fixes#702
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Using tristate is counter-intuitive and probably doesn't provide a lot
of benefit so we use a boolean and treat "don't know" as false (because
it is safer than showing options that are not actually available).
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
Fix display of WAN status when WAN is provided by using WWAN device or similar with other similar similar methods.
Explanation:
Before this, protocol was fetched from /etc/config/network for interface which often is wan_4 - but protocol is configured in file as wan, and therefore protocol is always none, since configuration is made for wan and then setup as wan_4 and possibly wan_6 if ipv6 is being used. This commit uses ubus to get used active protocol. For example, in case of qmi, it displays protocol as dhcp since even if I configured wan to use qmi, dhcp was used as a protocol for getting IP address.
Update timezone data to 2016c.
2016b: http://mm.icann.org/pipermail/tz-announce/2016-March/000036.html
Changes affecting future time stamps
New zones Europe/Astrakhan and Europe/Ulyanovsk for Astrakhan and
Ulyanovsk Oblasts, Russia, both of which will switch from +03 to +04
on 2016-03-27 at 02:00 local time. They need distinct zones since
their post-1970 histories disagree. New zone Asia/Barnaul for Altai
Krai and Altai Republic, Russia, which will switch from +06 to +07
on the same date and local time. Also, Asia/Sakhalin moves from +10
to +11 on 2016-03-27 at 02:00.
As a trial of a new system that needs less information to be made up,
the new zones use numeric time zone abbreviations like "+04"
instead of invented abbreviations like "ASTT".
Haiti will not observe DST in 2016.
Palestine's spring-forward transition on 2016-03-26 is at 01:00,
not 00:00. Guess future transitions will be March's last Saturday
at 01:00, not March's last Friday at 24:00.
2016c: http://mm.icann.org/pipermail/tz-announce/2016-March/000037.html
Changes affecting future time stamps
Azerbaijan no longer observes DST.
Chile reverts from permanent to seasonal DST.
Guess that future transitions are August's and May's second
Saturdays at 24:00 mainland time. Also, call the period from
2014-09-07 through 2016-05-14 daylight saving time instead of
standard time, as that seems more appropriate now.
Note for Openwrt usage:
Either musl or busybox does not like the new timezone format.
Although the rule looks ok in /etc/TZ, timezone is interpreted wrongly
by date, uptime etc. "Old timezones" are handle correctly, but these
new "<+04>-4" style zones do not work. Example below:
Europe/Helsinki
root@OpenWrt:~# cat /etc/TZ
EET-2EEST,M3.5.0/3,M10.5.0/4
root@OpenWrt:~# uptime
11:00:52 up 18:17, load average: 0.43, 0.13, 0.11
root@OpenWrt:~# date
Wed Mar 30 11:00:55 EEST 2016
Europe/Astrakhan
( Time is showed as GMT instead of the correct zone and
zone name is parsed wrongly )
root@OpenWrt:~# cat /etc/TZ
<+04>-4
root@OpenWrt:~# uptime
08:02:52 up 18:19, load average: 0.17, 0.18, 0.13
root@OpenWrt:~# date
Wed Mar 30 08:02:59 +04>-4 2016
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Some packages have different variants that have different
capabilities depending on which libraries against which
they are linked. Add a function to check which library a
binary links against in order to determine available
functionality.
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
Fix a bug introduced by #561
Function 'shellsqescape' calls 'gsub' with the empty result string 'res'
instead of the actual parameter 'value'. This leads into error:
.../util.lua:160: bad argument #1 to 'gsub' (string expected, got nil)
Fix error by passing the correct parameter to the function.
After the fix, the unmount button introduced by #561 finally works.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
When kmod-nf-nat6 and kmod-ipt-nat6 are installed, the firewall has also
the 'nat' table for ipv6, and packages like 'adblock' utilize that table.
Currently that table is not shown on the Luci firewall status page,
although it is visible by 'ip6tables -L -v -t nat' from console.
Detect 'nat' table's presence from /proc/net/ip6_tables_names
Show 'nat' table in Status->Firewall->IPv6 if that table is present.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Add an empty, normally invisible label after checkboxes and radio buttons
with cbi-input-{checkbox,radio} classes to allow CSS styling them as
suggested on http://www.paulund.co.uk/style-checkboxes-with-css
Signed-off-by: Nils Schneider <nils@nilsschneider.net>
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Fall back to default language if "auto" is configured, but none provided by
the browser matches.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Eliminate more inline scripts in favor to global initialization, use a global
object for sharing fixed strings instead of passing them to each invocation.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
* fixed tabbed map when using NamedSection of same sectiontype
* add error message on which tab(s) the invalid/required fields are located
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
Update timezone data to 2016a.
http://mm.icann.org/pipermail/tz-announce/2016-January/000035.html
Changes affecting future time stamps
America/Cayman will not observe daylight saving this year after all.
Revert our guess that it would. (Thanks to Matt Johnson.)
Asia/Chita switches from +0800 to +0900 on 2016-03-27 at 02:00.
(Thanks to Alexander Krivenyshev.)
Asia/Tehran now has DST predictions for the year 2038 and later,
to be March 21 00:00 to September 21 00:00. This is likely better
than predicting no DST, albeit off by a day every now and then.
Changes affecting past and future time stamps
America/Metlakatla switched from PST all year to AKST/AKDT on
2015-11-01 at 02:00. (Thanks to Steffen Thorsen.)
America/Santa_Isabel has been removed, and replaced with a
backward compatibility link to America/Tijuana. Its contents were
apparently based on a misreading of Mexican legislation.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Fix links to point into Github repo instead of luci.subsignal.org
- the hint to file a bug in dispatcher
- footers of Bootstrap and Firefunk themes
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Instead of relying on the connect-before-setuid hack, ship a proper
acl definition file whitelisting the procedures that LuCI requires
on its non-root pages.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Some applications only support ipv4 so add ipv4only option
to host and hostport datatypes so that for thos applications
that when an IP address is specified only and ipv4 ip address
gets accepted.
The previous versiono of ipaddrport validator only worked for ipv4
due to disallowing colons (:) in ip address which obvious fails for
ipv6. We now instead allow either ipv4 address or an ipv6 address of
the form [<ipv6address>]:port
Some files and pointers to files are not safe to remove without a replacement
file and config pointing to the file. For instance for uhttpd application in
the works, removing the certificate or key config or files without having the
replacements in places renders the WeUI inaccessible.
The only other place where FileUpload is currently used is for wifi certificates
for which the 'safe' handling is also preferred. Therefore make the default for
the FileUpload widget the safe handling and add a property self.unsafeupload that
allows for the old unsafe handling should it prove useful in some case.
Also allow to specify a file already on router instead of uploading a file.
Signed-off By: Daniel Dickinson <openwrt@daniel.thecshore.com>
The call to http.formvalue in order to read the csrf token causes
_parse_input to be triggered *before* controllers and cbi maps have
been built. This results in the failure of file uploads because
the file handler is not yet in place when _parse_input gets called,
and it is in _parse_input that POST data is parsed (including files).
To fix this we add the ability to write file fields to temporary
files (using mkstemp and unlink in nixio.file) and use this to
store file data until the filehandler is registered, with a
fallback to reading the file data into memory.
Once the filehandler callback gets registered we iterate
though all previously parsed (saved) files and copy the
data to the file handler, and then close the temporary
file (which finally removes because we unlinked after
creating the file, but didn't close the file so unlink
was deferred).
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
Some applications only support ipv4 so add ipv4only option
to host and hostport datatypes so that for thos applications
that when an IP address is specified only and ipv4 ip address
gets accepted.
The previous versiono of ipaddrport validator only worked for ipv4
due to disallowing colons (:) in ip address which obvious fails for
ipv6. We now instead allow either ipv4 address or an ipv6 address of
the form [<ipv6address>]:port
Some files and pointers to files are not safe to remove without a replacement
file and config pointing to the file. For instance for uhttpd application in
the works, removing the certificate or key config or files without having the
replacements in places renders the WeUI inaccessible.
The only other place where FileUpload is currently used is for wifi certificates
for which the 'safe' handling is also preferred. Therefore make the default for
the FileUpload widget the safe handling and add a property self.unsafeupload that
allows for the old unsafe handling should it prove useful in some case.
Also allow to specify a file already on router instead of uploading a file.
Signed-off By: Daniel Dickinson <openwrt@daniel.thecshore.com>
/lib/uci/upload is a rather odd place for configuration files
Also the files were not saved across sysupgrade, which is somewhat
counter-productive for configuration files.
Signed-off By: Daniel Dickinson <openwrt@daniel.thecshore.com>
The new function is twice as fast as the old implementation and properly
summarizes outgoing and incoming byte and packet counters.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Add two new types 'hostport' and 'ipaddrport' to validate strings in the form
'sub.example.org:1234' and '0.0.0.0:80'. The 'hostport' accepts hostnames or
IP addresses followed by a colon and a port number while the 'ipaddrport' type
accepts numeric IP addresses only, followed by a colon and a port.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
When using os.execute or luci.sys.call the shell is called with the
command line which means that standard shell interpretation of strings
occurs. To allow to use these commands more easily we add functions
for properly escaping single-quoted strings used on the command line
* Prevents an empty Location header
* Useful in environments where build_url() could return an empty string (such as http server rewrites requests to /cgi-bin/luci)
Signed-off-by: Joel Pedraza <github@saik0.net>
Two new arguments url, defpath were added to cbi_dynlist_init() for
initializing the brower button.
An example of usage
identity = section:taboption("general", DynamicList, "identity",
translate("List of SSH key files for auth"))
identity.datatype = "file"
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
As per http://tools.ietf.org/html/rfc3986#section-2.3
Characters that are allowed in a URI but do not have a reserved
purpose are called unreserved. These include uppercase and lowercase
letters, decimal digits, hyphen, period, underscore, and tilde.
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
cbi.lua
- Implement Flag.validate function to be overwritable
- rewritten if clause for easier reading ;-)
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
Rewrite `luci.sys.wifi.getiwinfo()` to use the ubus wireless state instead of
depreacated uci state vars in order to map abstract network notation to
wireless ifnames.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Now that we don't have an url token anymore, '/cgi-bin/luci' becomes a valid
url while cookies are restricted to only '/cgi-bin/luci/' and below.
In order to ensure that the first request after login refers to a path
covered by the authentication cookie, change build_url() to always append
a trailing slash if we're referring to the base url.
This should fix the login problems mentioned in #516.
While we're touching the dispatcher, also remove remaining url token code.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Now that sensitive urls require post requests and only accept them if a valid
security token is sent along the request, we can drop the global random url
token to improve LuCI usability.
The main improvement is the ability to use multiple tabs with the same login
session, but also deep linking to specific urls without the need for another
login becomes feasible, e.g. for documentation purposes.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
* Add a generic helper function to check need for post / csrf token validation
* Remove custom token verification in cbi targets
* Support requiring post security depending on specific submit parameters,
usable through post_on() action
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Changes in 2015g:
http://mm.icann.org/pipermail/tz-announce/2015-October/000034.html
Norfolk moves from +1130 to +1100 on 2015-10-04 at 02:00 local time.
Fiji's 2016 fall-back transition is scheduled for January 17, not 24.
Fort Nelson, British Columbia will not fall back on 2015-11-01. It has
effectively been on MST (-0700) since it advanced its clocks on 2015-03-08.
New zone America/Fort_Nelson.
Note: the Turkey-related one-time rule change is not apparently catched by
the zoneinfo2lua script, so that change is not included in this commit.
(Turkey's 2015 fall-back transition is scheduled for Nov. 8, not Oct. 25.)
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Only process submitted data if the "cbi.submit" parameter is present as the
dispatcher will verify the integrity of the CSRF token in this case.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Add the dispatcher infrastructure to restrict certain routes to POST
requests only in conjunction with verification of CSRF tokens.
This is the first step to get rid of the CSRF token in the url in favor
to tokens embedded in forms.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Add package *.ipk size information to package listing in Luci,
as opkg was today extended to support listing also the size information.
Visible fields are now: name, version, size, description
That will help users considering installation of a certain package
to assess its size impact on flash.
Note: Opkg data includes the size of the .ipk file, not the expanded size.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Previously, get_list("fake", "non-existent", "notreal") would still
return a table, just empty. This is nice, as you can always iterate the
returned table, without having to check it first.
However, if you happened to pass a nil for any of the parameters, you
would actually get a nil in return. This was inconsistent.
The documentation is updated to clarify the behaviour of this function.
Signed-off-by: Karl Palsson <karlp@remake.is>
Allows lists fetched with get_list to be modified and simply passed back
to set_list. Explicitly calling set_list() with an empty list is clearly
requesting that there be zero list items, ie, deletion of the option
altogether.
Signed-off-by: Karl Palsson <karlp@remake.is>
Many packages currently include a git commit hash in version string.
That makes versions string very long and the version column takes much space
when listing available/installed packages in Luci.
Longest version string is 58 characters (micropython).
85 packages have at least 50 chars and 150 packages at least 40 chars.
Adjust Luci to display max. 26 characters (= luci's own version string).
Longer version strings are cut to: "first 21c" + ".." + "last 3c"
The last 3 chars are used to preserve the possible PKG_REVISION string.
E.g. 'opkg' has only hash+PKG_REVISION, so using only start of the string
might not be optimal.
Examples:
1.3.10-20150302-f2a889564b3a215902622b040a1247af38cb8203-1
1.3.10-20150302-f2a88..3-1
0.1-20150302-654c7d288603f7dae09eb09b57fb67b38c7ac6c3-1
0.1-20150302-654c7d28..3-1
9c97d5ecd795709c8584e972bfdf3aee3a5b846d-7
9c97d5ecd795709c8584e..d-7
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
The setfilehandler() functions used for mime and url encoded message
bodies all operate with a signature of fh(meta, chunk, eof), but for
unhandled encodings, the callback was directly assigned to the sink
function, which has a signature of snk(chunk). Insert a wrapper to
properly generate the EOF flag, and include a stub "meta" block
providing a virtual "name" and also the original client provided
Content-Type header, to possibly help with taking alternative actions in
the file handler.
The sink function created for raw content decoding also used the wrong
signature for the sink function.
Signed-off-by: Karl Palsson <karlp@remake.is>
Changes in 2015e and 2015f:
http://mm.icann.org/pipermail/tz-announce/2015-June/000032.htmlhttp://mm.icann.org/pipermail/tz-announce/2015-August/000033.html
Morocco will suspend DST from 2015-06-14 03:00 through 2015-07-19 02:00,
not 06-13 and 07-18 as we had guessed.
Assume Cayman Islands will observe DST starting next year, using US rules.
Although it isn't guaranteed, it is the most likely.
North Korea switches to +0830 on 2015-08-15.
The abbreviation remains "KST".
Uruguay no longer observes DST.
Moldova starts and ends DST at 00:00 UTC, not at 01:00 UTC.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
* minor fix function _list() set to local
* new function compare_version() lua version of opkg compare-version
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
I used build/zoneinfo2lua.pl to pull data from my Ubuntu 15.04.
Changes in 2015d are rather small:
http://mm.icann.org/pipermail/tz-announce/2015-April/000031.html
Changes affecting future time stamps
Egypt will not observe DST in 2015 and will consider canceling it
permanently. For now, assume no DST indefinitely.
Change affecting time zone abbreviations
The abbreviations for Hawaii-Aleutian standard and daylight times
have been changed from HAST/HADT to HST/HDT, as per US Government
Printing Office style. This affects only America/Adak since 1983,
as America/Honolulu was already using the new style.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Timezone information is updated to 2015c, released on 14 Apr 2015.
I used build/zoneinfo2lua.pl to pull data from my Ubuntu 14.10.
Changes in 2015b and 2015c are rather small:
http://mm.icann.org/pipermail/tz-announce/2015-March/000029.htmlhttp://mm.icann.org/pipermail/tz-announce/2015-April/000030.html
Mongolia will start observing DST again this year, from the last
Saturday in March at 02:00 to the last Saturday in September at 00:00.
Palestine will start DST on March 28, not March 27. Also,
correct the fall 2014 transition from September 26 to October 24.
Adjust future predictions accordingly.
Egypt's spring-forward transition is at 24:00 on April's last Thursday,
not 00:00 on April's last Friday. 2015's transition will therefore be on
Thursday, April 30 at 24:00, not Friday, April 24 at 00:00. Similar fixes
apply to 2026, 2037, 2043, etc.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Timezone information is updated to 2015a, released on 30 Jan 15.
I used build/zoneinfo2lua.pl to pull data from my Ubuntu 14.10.
Changes are rather small:
http://mm.icann.org/pipermail/tz-announce/2015-January/000028.html
The Mexican state of Quintana Roo, represented by America/Cancun,
will shift from Central Time with DST to Eastern Time without DST.
Chile will not change clocks in April or thereafter; its new
standard time will be its old daylight saving time.
This affects America/Santiago, Pacific/Easter, and Antarctica/Palmer.
Ps. I manually edited headers to have the shorter new copyright,
instead of the long one generated buy the script.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Redirect to the canonical url after login and redirect to an url without
security token if the session expired. Also make sure that the login page
is served with status code 403, not 200 to give ajax calls a chance to
detect expired sessions.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
