This 404 error template rendering has been broken for a long time due to bad
function environment level in luci.template when invoking the rendering from
the toplevel dispatcher context.
Fix this issue by adding a local function indirection, essentially adding an
additional stack frame.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Instead of attempting to access the request environment directly (which does
not work anyway using the CGI SGI), use the already sanitized
dispatcher.context.request property to print out the not found url.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
It is possible to inject unescaped markup using a double encoded null byte
via PATH_INFO on certain leaf nodes.
Since there is no legitimate reason to handle null bytes in any part of the
requested url, simply skip over such bytes when parsing the PATH_INFO value.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The C implementations of urlencode and urldecode are considerably faster
than their current Lua counterparts.
On an AMD Geode system, the C variant is up to ten times faster when
decoding strings and up to four times faster when encoding them.
The functions are also designed to only allocate new strings when any
actual changes are required, otherwise they reuse the existing input
strings, reducing the overal memory usage somewhat.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The value of cachesize is hardcoded to 10000 in
dnsmasq-2.79/src/option.c to 10000 max
case 'c': /* --cache-size */
{
int size;
if (!atoi_check(arg, &size))
ret_err(gen_err);
else
{
/* zero is OK, and means no caching. */
if (size < 0)
size = 0;
else if (size > 10000)
size = 10000;
daemon->cachesize = size;
}
break;
}
Tested on Netgear R7800
Signed-off-by: Marc Benoit <marcb62185@gmail.com>
In the case of more powerful routers the default
cachesize value == 150 is too small and can easily
be extended to 1,000's and 10,000's of entries.
It makes sense to make it easy configurable.
Tested on Netgear R7800
Signed-off-by: Marc Benoit <marcb62185@gmail.com>
Fix whitespace, edit the proposed help text.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
The cbi class will react on an empty "cbi.submit" parameter as well so we
must intercept GET requests using that too.
Fixes 186e690c0 ("luci-base: dispatcher: reject non-POST requests with any cbi.submit value")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Update timezone data to 2018d
http://mm.icann.org/pipermail/tz-announce/2018-March/000049.html
In 2018, Palestine starts DST on March 24, not March 31.
Adjust future predictions accordingly.
Casey Station in Antarctica changed from +11 to +08
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
There is no direct user of the libuci-lua api, just some commented out code.
Rewrite the commented code to use the Map's uci cursor and remove the
explicit require.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Properly propagate the config parameter to the foreach iterator in order
to fix get_first() lookups.
Fixes#1734.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Prevent various XSS vectors by not interpolating field and path values
verbatim into script and html contexts.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* b00b676 fixed the cbi initialization for SimpleForm, therefore bring
back "Ignore BSSID" flag with dependent input field
Signed-off-by: Dirk Brenken <dev@brenken.org>
The main purpose of the script is to check if the module declaration
matches and if associated cbi resources are properly referenced.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Explicitely require libuci-lua in model classes that use legacy /var/state
cursor handling.
Also add a specific dependency on libuci-lua to the luci-app-mwan3
Makefile in preparation of the upcoming default removal of libuci-lua.
Finally fix the post data dispatching on the notification tab, see #1722
for reference.
Fixes#1726.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Introduce a get_state() function which can be used to access legacy
uci state variables. This is usually not needed anymore but some
packages (mainly mwan3) still rely on this.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Make the hint message more explicit to tell users that the prefix size needs
to be specified as well.
Fixes#1559.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- Use the ubus session.login procedure to authenticate credentials
- Fix testing of allowed usernames
- Support authentication via sysauth cookie
Fixes#1300, #1700, #1711
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Instead of passing the full LuCI request url, pass the relative resolved
request path instead and filter the received value through the lookup()
dispatcher function to only allow paths to actual internal pages.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The lookup function takes multiple, possibly malformed path fragments,
splits them on slashes, constructs a temporary path and looks up the
result in the dispatch tree.
If a matching node has been found, the function will return both the
node reference and the canonical url to it.
If no corresponding node is found, the function returns nil.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Invoke the SimpleForm models using the form() action, not the cbi() ones.
This avoids the extraneous rendering of the cbi header template, avoiding
rejected save operations due to duplicated token value.
Fixes#1722.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Introduce a new function luci.util.shellquote() which encloses the given
string argument in single quotes and escapes any embedded single quote
characters.
This function is intended to be used when interpolating untrusted input
into shell commands.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
