- Apr 26, 2018
-
-
Jo-Philipp Wich authored
Add timeout options to get() and post() and introduce XHR.stop() to support stopping a poll operation. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Support a new boolean property `cors` which - if set to true - causes the dispatcher to positively answer CORS OPTIONS requests after authentication without actually running the dispatching target. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Decode the HTTP message bodies of any request carrying a Content-Length header, not just those in POST requests. This allows handling parameters in other methods, OPTIONS in particular. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
- Apr 25, 2018
-
-
INAGAKI Hiroshi authored
Updated japanese translations. Signed-off-by:
INAGAKI Hiroshi <musashino.open@gmail.com>
-
- Apr 24, 2018
-
-
Jo-Philipp Wich authored
Add a 3rd return value to luci.util.ubus() containing the string value of the error return value. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Ensure that the (table) length of a file upload value has nonzero length by initializing the first table index with the file name. This fixes tests in the form x = luci.http.formvalue(...) if x and #x > 0 then ... end Fixes #1763. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
- Apr 22, 2018
-
-
Jo-Philipp Wich authored
Depends on 5ef51b2a ("lucihttp: update to latest HEAD"). Fixes #1755. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
- Apr 21, 2018
-
-
Jo-Philipp Wich authored
Ship an ACL definition for granting full read/write access to uci configuration files via ubus rpc. This is a precondition for enabling uci session isolation later on. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
- Apr 19, 2018
-
-
Jo-Philipp Wich authored
Restore the old luci.http behaviour of converting repeated POST params into single tables holding all values instead of letting each repeated parameter overwrite the value of the preceeding one. Fixes, among other things, the handling of CBI dynamic list values. Fixes #1752 Fixes 59dea023 ("luci-base: switch to lucihttp based POST data processing") Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Introduce luci.model.uci.set_session_id() and luci.model.uci.get_session_id() to set and get the effective session ID respectively. When a session ID is set, it is sent as `ubus_rpc_session` attribute to rpcd, causing it to use per-session change directories, isolating LuCI changes from the global system uci state. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
- Apr 18, 2018
-
-
Jo-Philipp Wich authored
LuCI itself now uses ubus calls to interact with uci configuration while the remaining direct libuci-lua users have been updated to either depend on the binding library or to use luci.model.uci. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Also adjust the dependencies of components depending on these classes and flatten the namespace from luci.http.protocol.* to luci.http.* Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
With only the decoder routines remaining in luci.http.protocol, it makes no sense to keep the low level protocol class around, so fold the remaining code into the central luci.http class. Also adjust the few direct users of luci.http.protocol accordingly. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
- Rewrite getcookie() to use liblucihttp header value parsing - Rewrite setfilehandler() to use local variables and have cleaner code - Fix build_querystring() to actually *en*code the given params Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
The dtable() function has no user in the entire LuCI repo, so drop it. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
This reverts commit ad7dc4a4 . Since we're using liblucihttp now, that library is the appropriate place to add such decoding helper functions. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Use the liblucihttp provided multipart and x-www-urlencoded body parsers and drop the old Lua parsing code. The C based data parsers are way faster than their old Lua counterparts while producing less string garbage and more correct results. While refactoring the luci.http.protocol code, also drop unused functions and dead code, heavily reducing the module size. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Drop the Lua implementation in luci.http.protocol and use the optimized C variants of liblucihttp instead. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Qian Zheng authored
Signed-off-by:
Zheng Qian <sotux82@gmail.com>
-
- Apr 10, 2018
-
-
Hannu Nyman authored
* sync translations * clean-up old strings from adblock Signed-off-by:
Hannu Nyman <hannu.nyman@iki.fi>
-
Jo-Philipp Wich authored
This 404 error template rendering has been broken for a long time due to bad function environment level in luci.template when invoking the rendering from the toplevel dispatcher context. Fix this issue by adding a local function indirection, essentially adding an additional stack frame. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Instead of attempting to access the request environment directly (which does not work anyway using the CGI SGI), use the already sanitized dispatcher.context.request property to print out the not found url. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
It is possible to inject unescaped markup using a double encoded null byte via PATH_INFO on certain leaf nodes. Since there is no legitimate reason to handle null bytes in any part of the requested url, simply skip over such bytes when parsing the PATH_INFO value. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
The C implementations of urlencode and urldecode are considerably faster than their current Lua counterparts. On an AMD Geode system, the C variant is up to ten times faster when decoding strings and up to four times faster when encoding them. The functions are also designed to only allocate new strings when any actual changes are required, otherwise they reuse the existing input strings, reducing the overal memory usage somewhat. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
- Apr 09, 2018
-
-
Jo-Philipp Wich authored
The cbi class will react on an empty "cbi.submit" parameter as well so we must intercept GET requests using that too. Fixes 186e690c ("luci-base: dispatcher: reject non-POST requests with any cbi.submit value") Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
- Apr 08, 2018
-
-
Hannu Nyman authored
Signed-off-by:
Hannu Nyman <hannu.nyman@iki.fi>
-
- Apr 07, 2018
-
-
Hannu Nyman authored
Update timezone data to 2018d http://mm.icann.org/pipermail/tz-announce/2018-March/000049.html In 2018, Palestine starts DST on March 24, not March 31. Adjust future predictions accordingly. Casey Station in Antarctica changed from +11 to +08 Signed-off-by:
Hannu Nyman <hannu.nyman@iki.fi>
-
Jo-Philipp Wich authored
Properly propagate the config parameter to the foreach iterator in order to fix get_first() lookups. Fixes #1734. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Prevent various XSS vectors by not interpolating field and path values verbatim into script and html contexts. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
- Apr 06, 2018
-
-
Jo-Philipp Wich authored
Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Introduce a get_state() function which can be used to access legacy uci state variables. This is usually not needed anymore but some packages (mainly mwan3) still rely on this. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Make the hint message more explicit to tell users that the prefix size needs to be specified as well. Fixes #1559. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
- Apr 05, 2018
-
-
Jo-Philipp Wich authored
The lookup function takes multiple, possibly malformed path fragments, splits them on slashes, constructs a temporary path and looks up the result in the dispatch tree. If a matching node has been found, the function will return both the node reference and the canonical url to it. If no corresponding node is found, the function returns nil. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Introduce a new function luci.util.shellquote() which encloses the given string argument in single quotes and escapes any embedded single quote characters. This function is intended to be used when interpolating untrusted input into shell commands. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while the dispatcher only required POST for cbi.submit == 1, the CSRF token protection could be bypassed. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
- Apr 04, 2018
-
-
Jo-Philipp Wich authored
Switch from using the REQUEST_URI CGI variable directly to the canonicalized FULL_REQUEST_URI property. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Introduce a new template property FULL_REQUEST_URI which returns the full canonicalized request URL built from SCRIPT_NAME, PATH_INFO and QUERY_STRING. This new property is safer to use compared to using the raw REQUEST_URI CGI environment variable directly as this value is essentially untrusted user input which may contain embedded escaped slashes, double forward slashes and other oddities allowing XSS exploitation or request redirection. Signed-off-by:
Jo-Philipp Wich <jo@mein.io>
-