Since HTTP cookies may not overwrite HTTPS ("secure") ones, users are
frequently unable to log into LuCI when a stale, "secure" `sysauth` cookie
is still present in the browser as it commonly happens after e.g. a
sysupgrade operation or when frequently jumping between HTTP and HTTPS
access.
Rework the dispatcher to set either a `sysauth_http` or `sysauth_https`
cookie, depending on the HTTPS state of the server connection and accept
both cookie names when verifying the session ID.
This allows users to log into a HTTP-only LuCI instance while a stale,
"secure" HTTPS cookie is still present.
Requires commit 2b0539ef9d ("lucihttp: update to latest Git HEAD") to
function properly.
Fixes: #5843
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
On boards with ADSL instead of VDSL support we need to expect an
`/sbin/dsl_cpe_control` instead of an `/sbin/vdsl_cpe_control` executable.
Ref: https://forum.openwrt.org/t/dsl-line-stats/126580
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Changes on a given configuration should trigger change events on affected
configurations, not the other way around.
Fixes: #5745
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Ensure to invoke the Busybox `passwd` applet to change the system password
in a non-interactive manner. Non-Busybox variants may not take the new
password input from stdin or use password hashes which are not supported
by musl's `crypt()` implementation by default.
Fixes: #5629
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Fallback to firewall4's helper list if the fw3 one cannot be loaded.
Fixes broken zone configuration when firewall4 is installed as backend.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
When the system is running with nftables instead of iptables, the
proprietary XT_FLOWOFFLOAD module will not be present, query the nft
equivalent instead.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Initial changes required for firewall4 compatibility:
* depend on uc-firewall instead of firewall
* detect installed version of firewall and hide incompatible features
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
- Prefer nodes that do not require authentication over nodes that do
- Honour ACL dependencies while resolving firstchild nodes
- Consider currently active session while scanning menu tree instead
of only loading effective ACLs when a login node is encountered
- Do not consider nodes for firstchild dispatching which specify a
special "firstchild_ineligible" property
- Hide menu nodes that have no accessible children
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Cleanup /etc/config/ucitrack by removing 'radvd' affect item
from network, as the radvd package has deprecated by odhcpd
and odhcp6c in 2014.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
OpenWrt commit 1a9b896d ("treewide: nuke DRIVER_11W_SUPPORT") enables
802.11w feature for all wpad/hostapd configurations. The feature flag
was removed at all but for the compatibility reasons 11w is still
advertised (but there's a plan to nuke it also) [1].
Remove conditional 802.11w LuCI support to match current behavior.
[1]: https://github.com/openwrt/openwrt/pull/3347
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
Check if hostapd supports wps pushbutton features.
(wps is now supported by ubus instead of using hostapd_cli)
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Move the VPN configuration section behind the network configuration. The normal
workflow is add/edit the network and then add/edit a vpn configuration.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This commit adds WEP as a queryable WiFi feature.
Support for the deprecated WEP encryption is not
compiled-in to hostapd or wpa_supplicant by default
anymore.
Allow LuCi to query the availability of WEP to remove
it from the list of avialable encryption methods in case
hostapd / wpa_supplicant are compiled without it.
Signed-off-by: David Bauer <mail@david-bauer.net>
In file `/etc/config/ucitrack`
```
config fstab
option exec '/sbin/block mount'
```
`/sbin/block mount` never be called after fstab changed.
Signed-off-by: jjm2473 <1129525450@qq.com>
* minimal change to accept the usual logread location
plus the alternative location (/usr/sbin/logread)
used by syslog-ng (see openwrt/packages/issues/11535 for reference)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Since swconfig output varies wildly among different switch drivers, rely
on a simpler more robust parsing approach to find the required information.
Ref: https://forum.openwrt.org/t/cannot-read-property-link/50766
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Currently the ubus path that provide the webserver is hardcoded to be /ubus.
Change this to make it configurable from the luci config file.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Currently LuCI can be loaded only when placed in the root of the server as the cgi-bin path are hardcoded. Change the index.html to load the cgi-bin path from the current level.
Also add a new entry in the env Object to make the cgi_base path easily accessible.
This variable will be based on the position of /cgi-bin/luci.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Add detection mechanism for system cert CA bundle installed by the
ca-bundle package. Used by LuCI to detect whether the "Use system
certificates" certificate validation option should be enabled.
Signed-off-by: David Lam <david@thedavid.net>
