project/luci.git
6 years agoluci-app-lxc: various changes
Admin Localnet [Mon, 30 Oct 2017 20:12:25 +0000 (21:12 +0100)]
luci-app-lxc: various changes

1) Modify dependencies

Add dependencies required for to be able use containers created from
"images.linuxcontainers.org". Several of them require "lxc-attach" for set
password so to be able login. None of them has SSH preinstalled so
"lxc-console" is required to be able login and install SSH, for example.

Remove dependency "xz", it seems incompatible with LXC_BUSYBOX_OPTIONS when
both are enabled happens a build crash.

2) Change container image repository

The repository "virtualwrt.org/containers/" seems to not work, I have change
it by the official LXC container image repository.

3) Translate the arch

Translate the local uname architecture to a valid "images.linuxcontainers.org"
arch. Only tested with the platform "mvebu" (armv7l -> armhf).

4) Other minor fixes

Use same server to list images and download the image.
Disable GPG check when listing images.

Reported-by: "Admin Localnet <localnet@users.noreply.github.com>"
[Squashed commits, cleaned up whitespace, refactor arch mapping, escape url
 setting, use system wide ubus helper, use uci model library]

Closes: #1422
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agolucihttp: update to latest HEAD
Jo-Philipp Wich [Fri, 20 Apr 2018 09:23:27 +0000 (11:23 +0200)]
lucihttp: update to latest HEAD

c7c9c66 src: extend multipart parser test program
5071efb testcases: add multipart parsing edge cases
689e3d0 lib: multipart-parser: fix various edge cases

Fixes #1754.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: properly handle repeated POST parameters
Jo-Philipp Wich [Thu, 19 Apr 2018 09:56:44 +0000 (11:56 +0200)]
luci-base: properly handle repeated POST parameters

Restore the old luci.http behaviour of converting repeated POST params into
single tables holding all values instead of letting each repeated parameter
overwrite the value of the preceeding one.

Fixes, among other things, the handling of CBI dynamic list values.

Fixes #1752
Fixes 59dea0230 ("luci-base: switch to lucihttp based POST data processing")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: implement session handling in luci.model.uci
Jo-Philipp Wich [Thu, 19 Apr 2018 09:42:12 +0000 (11:42 +0200)]
luci-base: implement session handling in luci.model.uci

Introduce luci.model.uci.set_session_id() and luci.model.uci.get_session_id()
to set and get the effective session ID respectively.

When a session ID is set, it is sent as `ubus_rpc_session` attribute to rpcd,
causing it to use per-session change directories, isolating LuCI changes from
the global system uci state.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: drop dependency on libuci-lua
Jo-Philipp Wich [Wed, 18 Apr 2018 14:54:53 +0000 (16:54 +0200)]
luci-base: drop dependency on libuci-lua

LuCI itself now uses ubus calls to interact with uci configuration while
the remaining direct libuci-lua users have been updated to either depend
on the binding library or to use luci.model.uci.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agofreifunk-common: explicitely depend on libuci-lua
Jo-Philipp Wich [Wed, 18 Apr 2018 14:54:11 +0000 (16:54 +0200)]
freifunk-common: explicitely depend on libuci-lua

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agolucihttp: update to latest HEAD
Jo-Philipp Wich [Wed, 18 Apr 2018 14:38:28 +0000 (16:38 +0200)]
lucihttp: update to latest HEAD

8617997 lib: cast size_t values in printf() to prevent compielr warnings

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agolibs: move http.protocol.{date,mime,conditionals} to luci-lib-httpprotoutils
Jo-Philipp Wich [Wed, 18 Apr 2018 13:49:26 +0000 (15:49 +0200)]
libs: move http.protocol.{date,mime,conditionals} to luci-lib-httpprotoutils

Also adjust the dependencies of components depending on these classes and
flatten the namespace from luci.http.protocol.* to luci.http.*

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: fold luci.http.protocol into luci.http
Jo-Philipp Wich [Wed, 18 Apr 2018 14:11:42 +0000 (16:11 +0200)]
luci-base: fold luci.http.protocol into luci.http

With only the decoder routines remaining in luci.http.protocol, it makes no
sense to keep the low level protocol class around, so fold the remaining code
into the central luci.http class.

Also adjust the few direct users of luci.http.protocol accordingly.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: refactor luci.http
Jo-Philipp Wich [Wed, 18 Apr 2018 12:05:41 +0000 (14:05 +0200)]
luci-base: refactor luci.http

 - Rewrite getcookie() to use liblucihttp header value parsing
 - Rewrite setfilehandler() to use local variables and have cleaner code
 - Fix build_querystring() to actually *en*code the given params

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: drop luci.util.dtable()
Jo-Philipp Wich [Wed, 18 Apr 2018 11:20:42 +0000 (13:20 +0200)]
luci-base: drop luci.util.dtable()

The dtable() function has no user in the entire LuCI repo, so drop it.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoRevert "luci-base: add urldecode() and urlencode() C implementations"
Jo-Philipp Wich [Tue, 17 Apr 2018 13:38:28 +0000 (15:38 +0200)]
Revert "luci-base: add urldecode() and urlencode() C implementations"

This reverts commit ad7dc4a4928e77ae142d0fe040f9e9e64b530e82.

Since we're using liblucihttp now, that library is the appropriate place to
add such decoding helper functions.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: switch to lucihttp based POST data processing
Jo-Philipp Wich [Wed, 18 Apr 2018 09:36:53 +0000 (11:36 +0200)]
luci-base: switch to lucihttp based POST data processing

Use the liblucihttp provided multipart and x-www-urlencoded body parsers
and drop the old Lua parsing code.

The C based data parsers are way faster than their old Lua counterparts
while producing less string garbage and more correct results.

While refactoring the luci.http.protocol code, also drop unused functions
and dead code, heavily reducing the module size.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: switch to lucihttp.urldecode() and lucihttp.urlencode()
Jo-Philipp Wich [Wed, 18 Apr 2018 08:46:04 +0000 (10:46 +0200)]
luci-base: switch to lucihttp.urldecode() and lucihttp.urlencode()

Drop the Lua implementation in luci.http.protocol and use the optimized C
variants of liblucihttp instead.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agolucihttp: update to latest HEAD
Jo-Philipp Wich [Tue, 17 Apr 2018 12:56:22 +0000 (14:56 +0200)]
lucihttp: update to latest HEAD

b7470d1 lua: back out early when instantiating parser with bad boundary
e1b1b1f testcases: remove stray .swp file
b46a6ca utils: introduce new LH_URLDECODE_PLUS flag

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoMerge pull request #1750 from sotux/i18n_zh_cn
Hannu Nyman [Wed, 18 Apr 2018 05:04:23 +0000 (08:04 +0300)]
Merge pull request #1750 from sotux/i18n_zh_cn

luci-base: zh_CN: update Simplified Chinese translation

6 years agoluci-base: zh_CN: update Simplified Chinese translation 1750/head
Qian Zheng [Thu, 12 Apr 2018 01:31:18 +0000 (09:31 +0800)]
luci-base: zh_CN: update Simplified Chinese translation

Signed-off-by: Zheng Qian <sotux82@gmail.com>
6 years agocontrib: package liblucihttp
Jo-Philipp Wich [Sat, 14 Apr 2018 16:47:51 +0000 (18:47 +0200)]
contrib: package liblucihttp

Package liblucihttp, a utility library providing HTTP parsing and data
decoding helpers.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-app-openvpn: properly parse low PIDs
Jo-Philipp Wich [Fri, 13 Apr 2018 12:45:02 +0000 (14:45 +0200)]
luci-app-openvpn: properly parse low PIDs

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoMerge pull request #1744 from dibdot/mwan-fix
Hannu Nyman [Wed, 11 Apr 2018 05:53:16 +0000 (08:53 +0300)]
Merge pull request #1744 from dibdot/mwan-fix

luci-app-mwan3: bugfix

6 years agoluci-app-mwan3: bugfix 1744/head
Dirk Brenken [Tue, 10 Apr 2018 19:38:07 +0000 (21:38 +0200)]
luci-app-mwan3: bugfix

* two more luci.model.uci fixes for #1743

Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years agoi18n: sync translations, cleanup
Hannu Nyman [Tue, 10 Apr 2018 15:21:09 +0000 (18:21 +0300)]
i18n: sync translations, cleanup

* sync translations
* clean-up old strings from adblock

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
6 years agoMerge pull request #1742 from fantom-x/dhcp_cachesize_max
Hannu Nyman [Tue, 10 Apr 2018 14:36:29 +0000 (17:36 +0300)]
Merge pull request #1742 from fantom-x/dhcp_cachesize_max

luci-mod-admin-full: limit dns cachesize to 10000

6 years agoluci-base: fix rendering of 404 HTML error template
Jo-Philipp Wich [Tue, 10 Apr 2018 10:03:15 +0000 (12:03 +0200)]
luci-base: fix rendering of 404 HTML error template

This 404 error template rendering has been broken for a long time due to bad
function environment level in luci.template when invoking the rendering from
the toplevel dispatcher context.

Fix this issue by adding a local function indirection, essentially adding an
additional stack frame.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: error404: do not access request env directly
Jo-Philipp Wich [Tue, 10 Apr 2018 10:01:39 +0000 (12:01 +0200)]
luci-base: error404: do not access request env directly

Instead of attempting to access the request environment directly (which does
not work anyway using the CGI SGI), use the already sanitized
dispatcher.context.request property to print out the not found url.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: don't propagate null bytes in path information
Jo-Philipp Wich [Tue, 10 Apr 2018 09:38:29 +0000 (11:38 +0200)]
luci-base: don't propagate null bytes in path information

It is possible to inject unescaped markup using a double encoded null byte
via PATH_INFO on certain leaf nodes.

Since there is no legitimate reason to handle null bytes in any part of the
requested url, simply skip over such bytes when parsing the PATH_INFO value.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: add urldecode() and urlencode() C implementations
Jo-Philipp Wich [Mon, 9 Apr 2018 07:47:40 +0000 (09:47 +0200)]
luci-base: add urldecode() and urlencode() C implementations

The C implementations of urlencode and urldecode are considerably faster
than their current Lua counterparts.

On an AMD Geode system, the C variant is up to ten times faster when
decoding strings and up to four times faster when encoding them.

The functions are also designed to only allocate new strings when any
actual changes are required, otherwise they reuse the existing input
strings, reducing the overal memory usage somewhat.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-mod-admin-full: limit dns cachesize to 10000 1742/head
Marc Benoit [Tue, 10 Apr 2018 00:47:32 +0000 (20:47 -0400)]
luci-mod-admin-full: limit dns cachesize to 10000

The value of cachesize is hardcoded to 10000 in
dnsmasq-2.79/src/option.c to 10000 max

    case 'c':  /* --cache-size */
      {
        int size;

        if (!atoi_check(arg, &size))
          ret_err(gen_err);
        else
          {
            /* zero is OK, and means no caching. */

            if (size < 0)
              size = 0;
            else if (size > 10000)
              size = 10000;

            daemon->cachesize = size;
          }
        break;
      }

Tested on Netgear R7800
Signed-off-by: Marc Benoit <marcb62185@gmail.com>
6 years agoMerge pull request #1741 from dibdot/mwan-fix
Hannu Nyman [Mon, 9 Apr 2018 14:33:21 +0000 (17:33 +0300)]
Merge pull request #1741 from dibdot/mwan-fix

luci-app-mwan3: bugfix

6 years agoluci-mod-admin-full: allow setting dns cachesize
Marc Benoit [Mon, 9 Apr 2018 14:17:02 +0000 (17:17 +0300)]
luci-mod-admin-full: allow setting dns cachesize

In the case of more powerful routers the default
cachesize value == 150 is too small and can easily
be extended to 1,000's and 10,000's of entries.
It makes sense to make it easy configurable.

Tested on Netgear R7800

Signed-off-by: Marc Benoit <marcb62185@gmail.com>
Fix whitespace, edit the proposed help text.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
6 years agoluci-app-mwan3: bugfix 1741/head
Dirk Brenken [Mon, 9 Apr 2018 13:50:21 +0000 (15:50 +0200)]
luci-app-mwan3: bugfix

* make use of luci.model.uci to fix #1740

Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years agoluci-base: consider empty parameters as well when testing POST requirement
Jo-Philipp Wich [Mon, 9 Apr 2018 05:04:38 +0000 (07:04 +0200)]
luci-base: consider empty parameters as well when testing POST requirement

The cbi class will react on an empty "cbi.submit" parameter as well so we
must intercept GET requests using that too.

Fixes 186e690c0 ("luci-base: dispatcher: reject non-POST requests with any cbi.submit value")

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoi18n: sync translations
Hannu Nyman [Sun, 8 Apr 2018 17:38:30 +0000 (20:38 +0300)]
i18n: sync translations

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
6 years agotimezone data: update to 2018d
Hannu Nyman [Sat, 7 Apr 2018 20:21:19 +0000 (23:21 +0300)]
timezone data: update to 2018d

Update timezone data to 2018d

http://mm.icann.org/pipermail/tz-announce/2018-March/000049.html

  In 2018, Palestine starts DST on March 24, not March 31.
     Adjust future predictions accordingly.
  Casey Station in Antarctica changed from +11 to +08

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
6 years agoluci-app-advanced-reboot: remove explicit libuci requirement
Jo-Philipp Wich [Sat, 7 Apr 2018 12:42:29 +0000 (14:42 +0200)]
luci-app-advanced-reboot: remove explicit libuci requirement

Rewrite affected code to use luci.model.uci in order to avoid the need for
using libuci-lua directly.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-app-vpnbypass: remove explicit libuci requirement
Jo-Philipp Wich [Sat, 7 Apr 2018 12:40:44 +0000 (14:40 +0200)]
luci-app-vpnbypass: remove explicit libuci requirement

There is no direct user of the libuci-lua api, just some commented out code.
Rewrite the commented code to use the Map's uci cursor and remove the
explicit require.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: fix luci.model.uci.get_first()
Jo-Philipp Wich [Sat, 7 Apr 2018 12:09:18 +0000 (14:09 +0200)]
luci-base: fix luci.model.uci.get_first()

Properly propagate the config parameter to the foreach iterator in order
to fix get_first() lookups.

Fixes #1734.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoMerge pull request #1733 from stangri/master
Hannu Nyman [Sat, 7 Apr 2018 11:25:07 +0000 (14:25 +0300)]
Merge pull request #1733 from stangri/master

luci-app-advanced-reboot & luci-app-vpnbypass: fix uci require for ma…

6 years agoluci-app-advanced-reboot & luci-app-vpnbypass: fix uci require for master 1733/head
Stan Grishin [Sat, 7 Apr 2018 11:14:58 +0000 (04:14 -0700)]
luci-app-advanced-reboot & luci-app-vpnbypass: fix uci require for master

Signed-off-by: Stan Grishin <stangri@melmac.net>
6 years agoluci-base: escape path strings and field parameter
Jo-Philipp Wich [Sat, 7 Apr 2018 09:43:44 +0000 (11:43 +0200)]
luci-base: escape path strings and field parameter

Prevent various XSS vectors by not interpolating field and path values
verbatim into script and html contexts.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-app-openvpn: quote grep expression in getPID()
Jo-Philipp Wich [Fri, 6 Apr 2018 21:37:38 +0000 (23:37 +0200)]
luci-app-openvpn: quote grep expression in getPID()

Fixes c0d9c4f3c ("treewide: filter shell arguments through shellquote() where applicable")

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-app-mwan: fix translation fallout
Hannu Nyman [Fri, 6 Apr 2018 20:28:41 +0000 (23:28 +0300)]
luci-app-mwan: fix translation fallout

Partially fix the fallout from the recent string changes.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
6 years agoMerge pull request #1727 from TDT-AG/pr/20180406-luci-app-mwan3-changes
Hannu Nyman [Fri, 6 Apr 2018 19:39:39 +0000 (22:39 +0300)]
Merge pull request #1727 from TDT-AG/pr/20180406-luci-app-mwan3-changes

luci-app-mwan3: fix translation and update defaults

6 years agoMerge pull request #1730 from dibdot/travelmate
Dirk Brenken [Fri, 6 Apr 2018 16:37:33 +0000 (18:37 +0200)]
Merge pull request #1730 from dibdot/travelmate

luci-app-travelmate: bring back cbi element to wifi_add.lua

6 years agoluci-app-travelmate: bring back cbi element to wifi_add.lua 1730/head
Dirk Brenken [Fri, 6 Apr 2018 16:34:41 +0000 (18:34 +0200)]
luci-app-travelmate: bring back cbi element to wifi_add.lua

b00b676 fixed the cbi initialization for SimpleForm, therefore bring
  back "Ignore BSSID" flag with dependent input field

Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years agoluci-base: properly initialize cbi.js on SimpleForms
Jo-Philipp Wich [Fri, 6 Apr 2018 14:39:39 +0000 (16:39 +0200)]
luci-base: properly initialize cbi.js on SimpleForms

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-app-mwan3: show default values in interface page if config is not found 1727/head
Florian Eckert [Thu, 5 Apr 2018 12:36:54 +0000 (14:36 +0200)]
luci-app-mwan3: show default values in interface page if config is not found

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
6 years agoluci-app-mwan3: update translations
Florian Eckert [Thu, 5 Apr 2018 09:25:33 +0000 (11:25 +0200)]
luci-app-mwan3: update translations

Update hint in the interface page.
Update hint in the policy page.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
6 years agoluci-mod-admin-full: dispatch SimpleForm models using the form() action
Jo-Philipp Wich [Fri, 6 Apr 2018 10:10:16 +0000 (12:10 +0200)]
luci-mod-admin-full: dispatch SimpleForm models using the form() action

This fixes issues dicovered by check-controllers.sh

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-mod-freifunk: dispatch SimpleForm model using the form() action
Jo-Philipp Wich [Fri, 6 Apr 2018 10:06:02 +0000 (12:06 +0200)]
luci-mod-freifunk: dispatch SimpleForm model using the form() action

This fixes issues dicovered by check-controllers.sh

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-app-dnscrypt-proxy: dispatch SimpleForm models using the form() action
Jo-Philipp Wich [Fri, 6 Apr 2018 10:04:01 +0000 (12:04 +0200)]
luci-app-dnscrypt-proxy: dispatch SimpleForm models using the form() action

This fixes issues dicovered by check-controllers.sh

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-app-wol: dispatch SimpleForm model using the form() action
Jo-Philipp Wich [Fri, 6 Apr 2018 09:53:59 +0000 (11:53 +0200)]
luci-app-wol: dispatch SimpleForm model using the form() action

This fixes issues dicovered by check-controllers.sh

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-app-firewall: dispatch SimpleForm model using the form() action
Jo-Philipp Wich [Fri, 6 Apr 2018 09:52:36 +0000 (11:52 +0200)]
luci-app-firewall: dispatch SimpleForm model using the form() action

This fixes issues dicovered by check-controllers.sh

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-app-unbound: dispatch SimpleForm models using the form() action
Jo-Philipp Wich [Fri, 6 Apr 2018 09:45:26 +0000 (11:45 +0200)]
luci-app-unbound: dispatch SimpleForm models using the form() action

This fixes issues dicovered by check-controllers.sh

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: emit a warning if cbi() delegates a SimpleForm instance
Jo-Philipp Wich [Fri, 6 Apr 2018 10:07:01 +0000 (12:07 +0200)]
luci-base: emit a warning if cbi() delegates a SimpleForm instance

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agobuild: add check-controller.sh, a utility to test controller files
Jo-Philipp Wich [Fri, 6 Apr 2018 09:40:19 +0000 (11:40 +0200)]
build: add check-controller.sh, a utility to test controller files

The main purpose of the script is to check if the module declaration
matches and if associated cbi resources are properly referenced.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-app-mwan3: fix legacy uci api usage
Jo-Philipp Wich [Fri, 6 Apr 2018 07:35:39 +0000 (09:35 +0200)]
luci-app-mwan3: fix legacy uci api usage

Explicitely require libuci-lua in model classes that use legacy /var/state
cursor handling.

Also add a specific dependency on libuci-lua to the luci-app-mwan3
Makefile in preparation of the upcoming default removal of libuci-lua.

Finally fix the post data dispatching on the notification tab, see #1722
for reference.

Fixes #1726.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: implement luci.model.uci.get_state()
Jo-Philipp Wich [Fri, 6 Apr 2018 07:24:36 +0000 (09:24 +0200)]
luci-base: implement luci.model.uci.get_state()

Introduce a get_state() function which can be used to access legacy
uci state variables. This is usually not needed anymore but some
packages (mainly mwan3) still rely on this.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-proto-ipv6: clarify 6in4 local address hint
Jo-Philipp Wich [Fri, 6 Apr 2018 06:48:26 +0000 (08:48 +0200)]
luci-proto-ipv6: clarify 6in4 local address hint

Make the hint message more explicit to tell users that the prefix size needs
to be specified as well.

Fixes #1559.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-mod-rpc: rework authentication and session handling
Jo-Philipp Wich [Fri, 6 Apr 2018 05:56:56 +0000 (07:56 +0200)]
luci-mod-rpc: rework authentication and session handling

 - Use the ubus session.login procedure to authenticate credentials
 - Fix testing of allowed usernames
 - Support authentication via sysauth cookie

Fixes #1300, #1700, #1711

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-mod-admin-full: fix request path access in uci controller
Jo-Philipp Wich [Fri, 6 Apr 2018 04:58:32 +0000 (06:58 +0200)]
luci-mod-admin-full: fix request path access in uci controller

Fixes #1725
Fixes 731ed77c0 ("treewide: improve handling of page redirections in uci change views")

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-mod-admin-full: escape display parameter
Jo-Philipp Wich [Thu, 5 Apr 2018 21:00:46 +0000 (23:00 +0200)]
luci-mod-admin-full: escape display parameter

Prevent reflected XSS through the reset button by url encoding the
display parameter.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agotreewide: improve handling of page redirections in uci change views
Jo-Philipp Wich [Thu, 5 Apr 2018 20:37:37 +0000 (22:37 +0200)]
treewide: improve handling of page redirections in uci change views

Instead of passing the full LuCI request url, pass the relative resolved
request path instead and filter the received value through the lookup()
dispatcher function to only allow paths to actual internal pages.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: introduce luci.dispatcher.lookup()
Jo-Philipp Wich [Thu, 5 Apr 2018 19:58:41 +0000 (21:58 +0200)]
luci-base: introduce luci.dispatcher.lookup()

The lookup function takes multiple, possibly malformed path fragments,
splits them on slashes, constructs a temporary path and looks up the
result in the dispatch tree.

If a matching node has been found, the function will return both the
node reference and the canonical url to it.

If no corresponding node is found, the function returns nil.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoMerge pull request #1723 from dibdot/travelmate
Dirk Brenken [Thu, 5 Apr 2018 20:42:14 +0000 (22:42 +0200)]
Merge pull request #1723 from dibdot/travelmate

luci-app-travelmate: bugfixes

6 years agoluci-app-travelmate: bugfixes 1723/head
Dirk Brenken [Thu, 5 Apr 2018 20:39:46 +0000 (22:39 +0200)]
luci-app-travelmate: bugfixes

* use the form() action to invoke the SimpleForm models
* fix 'wifi_add' input form

Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years agoluci-app-adblock: fix SimpleForm page delegation
Jo-Philipp Wich [Thu, 5 Apr 2018 17:21:50 +0000 (19:21 +0200)]
luci-app-adblock: fix SimpleForm page delegation

Invoke the SimpleForm models using the form() action, not the cbi() ones.
This avoids the extraneous rendering of the cbi header template, avoiding
rejected save operations due to duplicated token value.

Fixes #1722.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoMerge pull request #1718 from dibdot/travelmate
Dirk Brenken [Thu, 5 Apr 2018 12:43:53 +0000 (14:43 +0200)]
Merge pull request #1718 from dibdot/travelmate

luci-app-travelmate: sync with travelmate 1.2.0

6 years agoMerge pull request #1709 from dibdot/get_interface-fix
Jo-Philipp Wich [Thu, 5 Apr 2018 07:49:49 +0000 (09:49 +0200)]
Merge pull request #1709 from dibdot/get_interface-fix

luci-base/network.lua: fix get_interface function

6 years agotreewide: filter shell arguments through shellquote() where applicable
Jo-Philipp Wich [Thu, 5 Apr 2018 07:32:22 +0000 (09:32 +0200)]
treewide: filter shell arguments through shellquote() where applicable

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: introduce luci.util.shellquote()
Jo-Philipp Wich [Thu, 5 Apr 2018 07:29:38 +0000 (09:29 +0200)]
luci-base: introduce luci.util.shellquote()

Introduce a new function luci.util.shellquote() which encloses the given
string argument in single quotes and escapes any embedded single quote
characters.

This function is intended to be used when interpolating untrusted input
into shell commands.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-mod-admin-full: fix possible shell injection in bandwith status
Jo-Philipp Wich [Wed, 4 Apr 2018 22:33:09 +0000 (00:33 +0200)]
luci-mod-admin-full: fix possible shell injection in bandwith status

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: fix possible shell injection in luci.tools.status.switch_status()
Jo-Philipp Wich [Wed, 4 Apr 2018 22:32:28 +0000 (00:32 +0200)]
luci-base: fix possible shell injection in luci.tools.status.switch_status()

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: dispatcher: reject non-POST requests with any cbi.submit value
Jo-Philipp Wich [Wed, 4 Apr 2018 22:15:22 +0000 (00:15 +0200)]
luci-base: dispatcher: reject non-POST requests with any cbi.submit value

Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while
the dispatcher only required POST for cbi.submit == 1, the CSRF token
protection could be bypassed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-app-freifunk-diagnostics: use FULL_REQUEST_URI
Jo-Philipp Wich [Wed, 4 Apr 2018 21:32:44 +0000 (23:32 +0200)]
luci-app-freifunk-diagnostics: use FULL_REQUEST_URI

Switch from using the REQUEST_URI CGI variable directly to the canonicalized
FULL_REQUEST_URI property.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-app-commands: use FULL_REQUEST_URI
Jo-Philipp Wich [Wed, 4 Apr 2018 21:32:23 +0000 (23:32 +0200)]
luci-app-commands: use FULL_REQUEST_URI

Switch from using the REQUEST_URI CGI variable directly to the canonicalized
FULL_REQUEST_URI property.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: use FULL_REQUEST_URI on login form templates
Jo-Philipp Wich [Wed, 4 Apr 2018 21:30:49 +0000 (23:30 +0200)]
luci-base: use FULL_REQUEST_URI on login form templates

Switch from using the REQUEST_URI CGI variable directly to the canonicalized
FULL_REQUEST_URI property.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: add FULL_REQUEST_URI template property
Jo-Philipp Wich [Wed, 4 Apr 2018 21:24:31 +0000 (23:24 +0200)]
luci-base: add FULL_REQUEST_URI template property

Introduce a new template property FULL_REQUEST_URI which returns the full
canonicalized request URL built from SCRIPT_NAME, PATH_INFO and QUERY_STRING.

This new property is safer to use compared to using the raw REQUEST_URI CGI
environment variable directly as this value is essentially untrusted user
input which may contain embedded escaped slashes, double forward slashes and
other oddities allowing XSS exploitation or request redirection.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-mod-admin-full: use strict hostname validation for dhcp hosts
Jo-Philipp Wich [Thu, 22 Mar 2018 08:52:55 +0000 (09:52 +0100)]
luci-mod-admin-full: use strict hostname validation for dhcp hosts

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: add a strict flag to the hostname validator
Jo-Philipp Wich [Thu, 22 Mar 2018 08:49:52 +0000 (09:49 +0100)]
luci-base: add a strict flag to the hostname validator

Some applications, e.g. dnsmasq, do not allow hostnames starting with an
underscore, therefor extend the existing hostname datatype validator with
a `strict` which disallows a leading underscore.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-base: switch to ubus uci operations
Jo-Philipp Wich [Wed, 14 Mar 2018 00:23:50 +0000 (01:23 +0100)]
luci-base: switch to ubus uci operations

Switch luci.model.uci to use ubus uci calls instead of driving libuci-lua
directly.

This prepares support for more advanced features such as per-session change
isolation and configuration rollback on errors.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoluci-app-travelmate: sync with travelmate 1.2.0 1718/head
Dirk Brenken [Wed, 4 Apr 2018 12:19:23 +0000 (14:19 +0200)]
luci-app-travelmate: sync with travelmate 1.2.0

* remove needless 'automatic' and 'trigger' options plus small fixes

Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years agoMerge pull request #1715 from TDT-AG/pr/20180403-luci-app-mwan3-update
Hannu Nyman [Tue, 3 Apr 2018 14:43:57 +0000 (17:43 +0300)]
Merge pull request #1715 from TDT-AG/pr/20180403-luci-app-mwan3-update

luci-app-mwan3: fixes and improvments

6 years agoluci-app-mwan3: remove unnecessary 'tracking active' hint 1715/head
Florian Eckert [Tue, 3 Apr 2018 11:21:49 +0000 (13:21 +0200)]
luci-app-mwan3: remove unnecessary 'tracking active' hint

Remove the unnecessary 'tracking active' hint from the status interface
page.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
6 years agoluci-app-mwan3: remove diag-rc-legend field id
Florian Eckert [Tue, 3 Apr 2018 11:16:44 +0000 (13:16 +0200)]
luci-app-mwan3: remove diag-rc-legend field id

On the material theme the "Collecting data" hint in the status pages
was still present on the page even though the command was sucessfull executed.

Remove the legend tag and move the info "Collecting data" to the
"diag-rc-output" tag will solve this issue.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
6 years agoluci-app-mwan3: calculate max interface usage from mmx_mask value
Florian Eckert [Tue, 3 Apr 2018 09:43:52 +0000 (11:43 +0200)]
luci-app-mwan3: calculate max interface usage from mmx_mask value

Show max interface value on interface page dependent on the mmx_mask
value

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
6 years agoluci-base: zh_CN: update Simplified Chinese translation
Qian Zheng [Mon, 2 Apr 2018 00:46:50 +0000 (08:46 +0800)]
luci-base: zh_CN: update Simplified Chinese translation

Signed-off-by: Qian Zheng <sotux82@gmail.com>
6 years agoluci-base/network.lua: fix get_interface function 1709/head
Dirk Brenken [Sat, 31 Mar 2018 05:06:52 +0000 (07:06 +0200)]
luci-base/network.lua: fix get_interface function

* fix wrong private function call to handle
  section id as parameter (fix for #1687)

Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years agoMerge pull request #1706 from musashino205/l10n/tmate-upd-ja
Hannu Nyman [Thu, 29 Mar 2018 13:41:47 +0000 (16:41 +0300)]
Merge pull request #1706 from musashino205/l10n/tmate-upd-ja

luci-app-travelmate: update Japanese translation

6 years agoluci-app-travelmate: update Japanese translation 1706/head
INAGAKI Hiroshi [Thu, 29 Mar 2018 04:13:38 +0000 (13:13 +0900)]
luci-app-travelmate: update Japanese translation

Updated Japanese translations.

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
6 years agoi18n: sync translations
INAGAKI Hiroshi [Thu, 29 Mar 2018 03:51:13 +0000 (12:51 +0900)]
i18n: sync translations

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
6 years agoMerge pull request #1703 from dibdot/travelmate
Dirk Brenken [Wed, 28 Mar 2018 09:22:15 +0000 (11:22 +0200)]
Merge pull request #1703 from dibdot/travelmate

luci-app-travelmate: made "ignore bssid" flag conditional

6 years agoMerge pull request #1704 from TDT-AG/pr/20180328-luci-app-mwan3-fixes
Dirk Brenken [Wed, 28 Mar 2018 09:21:56 +0000 (11:21 +0200)]
Merge pull request #1704 from TDT-AG/pr/20180328-luci-app-mwan3-fixes

luci-app-mwan3: fix syntax error and update notify page

6 years agoluci-app-mwan3: update notify info 1704/head
Florian Eckert [Wed, 28 Mar 2018 07:17:34 +0000 (09:17 +0200)]
luci-app-mwan3: update notify info

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
6 years agoluci-app-mwan3: fix strict XHTML syntax error
Florian Eckert [Wed, 28 Mar 2018 07:17:13 +0000 (09:17 +0200)]
luci-app-mwan3: fix strict XHTML syntax error

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
6 years agoluci-app-travelmate: made "ignore bssid" flag conditional 1703/head
Dirk Brenken [Wed, 28 Mar 2018 07:22:19 +0000 (09:22 +0200)]
luci-app-travelmate: made "ignore bssid" flag conditional

* made the "ignore bssid" flag conditional to ease connection
  to hidden networks:
    * default for hidden networks "disabled"
    * default for all others "enabled"

Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years agoMerge pull request #1697 from TDT-AG/pr/20180323-luci-base-fix-tblsection
Dirk Brenken [Tue, 27 Mar 2018 20:45:57 +0000 (22:45 +0200)]
Merge pull request #1697 from TDT-AG/pr/20180323-luci-base-fix-tblsection

luci-base: add missing colspan in tblsection if table is empty

6 years agoluci-base: fix colspans calculation in tblsection 1697/head
Florian Eckert [Wed, 14 Mar 2018 15:03:55 +0000 (16:03 +0100)]
luci-base: fix colspans calculation in tblsection

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
6 years agoMerge pull request #1701 from SvenRoederer/patch-2
Hannu Nyman [Mon, 26 Mar 2018 18:03:50 +0000 (21:03 +0300)]
Merge pull request #1701 from SvenRoederer/patch-2

wireguard: add dependency to luci-proto-wireguard

6 years agowireguard: add dependency to luci-proto-wireguard 1701/head
Sven Roederer [Mon, 26 Mar 2018 17:15:25 +0000 (19:15 +0200)]
wireguard: add dependency to luci-proto-wireguard

Installing luci-app-wireguard should also install luci-proto-wireguard, to have it as an protocol for interface setup.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>