Instead of relying on .innerHTML which executes embedded script code to
parse a given HTML fragment, use dom.parse() which utilizies DOMParser()
internally in order to extract textContent in a safe manner.
Fixes: FS#4199
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=4199
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 993151504e)
Only treat the given identifier as Linux netdev name if we can find a
corresponding entry in the device info cache and do not consider strings
starting with "wlan", "ath" or "wl" to be existing devices.
This fixes incorrectly adding wireless sections as ifnames to network
interfaces when the wifi-iface section name begins with one of the
`iface_patterns_wireless` patterns.
Fixes: #5069
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit d4092b15ce)
Remove ACL file accidentally added by ecd49247eb.
There is no luci-app-dawn in 19.07, so no ACL is needed.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
The new API unifies all human readable responses in the `detail` field
to follow the newly used framework.
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 2a29911121)
The content is the same response as for `/api/latest.json` but
statically hosted by a webserver rather than Python generated.
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit a672875402)
If the upgrade server API does not respond, show an error message.
Fix#5222
While at it, minimal code linting
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit ff24b78c80)
In JavaScript (other than in Python) an empty array is considered `true`
within if statements. Fix this by checking for the array length rather
than its existence.
This fixes the issue of an empty dropdown menu in case the user is
running the latest release.
Signed-off-by: Paul Spooren <mail@aparcar.org>
* add HTTP/2-only supporting providers: Mullvad, Digitale-Gesellschaft, dns.sb and Rubyfish.cn
* switch default provider from Google to Cloudflare
* add IPv6 addresses for bootstrap resolvers for Google DNS
* add secondary bootstrap resolver (Cloudflare's) to all providers with a single bootstrap resolver
* modify model/cbi file to show HTTP/2-only providers (and help texts) on HTTP/2-supporting systems
Signed-off-by: Stan Grishin <stangri@melmac.net>
The mac section for the static lease doesn't correctly handle when multiple mac are set for a rule.
Fixes: #4291
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
(cherry picked from commit 6c9a6c334e)
This calls striptags() on the hostname to prevent any XSS over the
hostname. This should fix CVE-2021-33425 as far as I understood it.
If someone adds some Javascript into system.@system[0].hostname it would
have been directly added to the page, this prevents the problem.
This can only be exploited by someone being able to modify the uci
configuration, normally a user with such privileges could also just
modify the webpage.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5cbd79d7e3)
When an upstream NS returns PTR domain names containing HTML, it is
added verbatim to the connection status table.
Prevent this issue by HTML escaping any values in the source and
destination columns.
Fixes: CVE-2021-32019
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 3c66c5b165)
Serialize the uci list value into a space separated string before passing
it to String.format() for HTML escaping. Without that change, empty strings
were returned whenever the underlying uci get operation yieled an array.
Fixes: #4993
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 5c792aefc7)
Implement two new text "options" for UCI system config, intended to
help humans describe the device.
"system.description" is a short, single-line description suitable for
selector UIs in remote administration applications, or remote UCI (over
ubus RPC), etc. It would also be suitable as a default for LLDP/SNMP
"system description".
"system.notes" is a multi-line, free-form text field that can be used in
any way the user wishes, e.g. to hold installation notes, or unit serial
number and inventory number, location, etc.
Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
