- Apr 10, 2018
-
-
Hannu Nyman authored
* sync translations * clean-up old strings from adblock Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
-
Jo-Philipp Wich authored
This 404 error template rendering has been broken for a long time due to bad function environment level in luci.template when invoking the rendering from the toplevel dispatcher context. Fix this issue by adding a local function indirection, essentially adding an additional stack frame. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Instead of attempting to access the request environment directly (which does not work anyway using the CGI SGI), use the already sanitized dispatcher.context.request property to print out the not found url. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
It is possible to inject unescaped markup using a double encoded null byte via PATH_INFO on certain leaf nodes. Since there is no legitimate reason to handle null bytes in any part of the requested url, simply skip over such bytes when parsing the PATH_INFO value. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
The C implementations of urlencode and urldecode are considerably faster than their current Lua counterparts. On an AMD Geode system, the C variant is up to ten times faster when decoding strings and up to four times faster when encoding them. The functions are also designed to only allocate new strings when any actual changes are required, otherwise they reuse the existing input strings, reducing the overal memory usage somewhat. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Marc Benoit authored
The value of cachesize is hardcoded to 10000 in dnsmasq-2.79/src/option.c to 10000 max case 'c': /* --cache-size */ { int size; if (!atoi_check(arg, &size)) ret_err(gen_err); else { /* zero is OK, and means no caching. */ if (size < 0) size = 0; else if (size > 10000) size = 10000; daemon->cachesize = size; } break; } Tested on Netgear R7800 Signed-off-by: Marc Benoit <marcb62185@gmail.com>
-
- Apr 09, 2018
-
-
Marc Benoit authored
In the case of more powerful routers the default cachesize value == 150 is too small and can easily be extended to 1,000's and 10,000's of entries. It makes sense to make it easy configurable. Tested on Netgear R7800 Signed-off-by: Marc Benoit <marcb62185@gmail.com> Fix whitespace, edit the proposed help text. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
-
Jo-Philipp Wich authored
The cbi class will react on an empty "cbi.submit" parameter as well so we must intercept GET requests using that too. Fixes 186e690c ("luci-base: dispatcher: reject non-POST requests with any cbi.submit value") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
- Apr 08, 2018
-
-
Hannu Nyman authored
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
-
- Apr 07, 2018
-
-
Hannu Nyman authored
Update timezone data to 2018d http://mm.icann.org/pipermail/tz-announce/2018-March/000049.html In 2018, Palestine starts DST on March 24, not March 31. Adjust future predictions accordingly. Casey Station in Antarctica changed from +11 to +08 Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
-
Jo-Philipp Wich authored
Properly propagate the config parameter to the foreach iterator in order to fix get_first() lookups. Fixes #1734. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Prevent various XSS vectors by not interpolating field and path values verbatim into script and html contexts. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
- Apr 06, 2018
-
-
Jo-Philipp Wich authored
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
This fixes issues dicovered by check-controllers.sh Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
This fixes issues dicovered by check-controllers.sh Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Introduce a get_state() function which can be used to access legacy uci state variables. This is usually not needed anymore but some packages (mainly mwan3) still rely on this. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Make the hint message more explicit to tell users that the prefix size needs to be specified as well. Fixes #1559. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
- Use the ubus session.login procedure to authenticate credentials - Fix testing of allowed usernames - Support authentication via sysauth cookie Fixes #1300, #1700, #1711 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Fixes #1725 Fixes 731ed77c ("treewide: improve handling of page redirections in uci change views") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
- Apr 05, 2018
-
-
Jo-Philipp Wich authored
Prevent reflected XSS through the reset button by url encoding the display parameter. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Instead of passing the full LuCI request url, pass the relative resolved request path instead and filter the received value through the lookup() dispatcher function to only allow paths to actual internal pages. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
The lookup function takes multiple, possibly malformed path fragments, splits them on slashes, constructs a temporary path and looks up the result in the dispatch tree. If a matching node has been found, the function will return both the node reference and the canonical url to it. If no corresponding node is found, the function returns nil. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Introduce a new function luci.util.shellquote() which encloses the given string argument in single quotes and escapes any embedded single quote characters. This function is intended to be used when interpolating untrusted input into shell commands. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while the dispatcher only required POST for cbi.submit == 1, the CSRF token protection could be bypassed. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
- Apr 04, 2018
-
-
Jo-Philipp Wich authored
Switch from using the REQUEST_URI CGI variable directly to the canonicalized FULL_REQUEST_URI property. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Introduce a new template property FULL_REQUEST_URI which returns the full canonicalized request URL built from SCRIPT_NAME, PATH_INFO and QUERY_STRING. This new property is safer to use compared to using the raw REQUEST_URI CGI environment variable directly as this value is essentially untrusted user input which may contain embedded escaped slashes, double forward slashes and other oddities allowing XSS exploitation or request redirection. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Some applications, e.g. dnsmasq, do not allow hostnames starting with an underscore, therefor extend the existing hostname datatype validator with a `strict` which disallows a leading underscore. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Switch luci.model.uci to use ubus uci calls instead of driving libuci-lua directly. This prepares support for more advanced features such as per-session change isolation and configuration rollback on errors. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
- Apr 02, 2018
-
-
Qian Zheng authored
Signed-off-by: Qian Zheng <sotux82@gmail.com>
-
- Mar 31, 2018
-
-
Dirk Brenken authored
* fix wrong private function call to handle section id as parameter (fix for #1687) Signed-off-by: Dirk Brenken <dev@brenken.org>
-
- Mar 29, 2018
-
-
INAGAKI Hiroshi authored
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
-
- Mar 27, 2018
-
-
Florian Eckert authored
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
-
- Mar 22, 2018
-
-
Dirk Brenken authored
* enhance the checklib function in util.lua to check the 'fullpathexe' as well, e.g. this fixes runtime errors on the dhcp/dns template in environments without dnsmasq Signed-off-by: Dirk Brenken <dev@brenken.org>
-
- Mar 12, 2018
-
-
Jo-Philipp Wich authored
Use the new luci.ip MAC address facilities to parse and verify MAC addresses in a common way, instead of relying on various ad-hoc solutions. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-
Jo-Philipp Wich authored
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-