From 1ee5ba632ab52b5d3af5c88803fee89c8eaf6fe1 Mon Sep 17 00:00:00 2001 From: Steven Barth Date: Mon, 15 Dec 2008 10:40:45 +0000 Subject: [PATCH] Refined urltokens and XSRF protection --- libs/web/luasrc/dispatcher.lua | 25 ++++++++++--------- .../luasrc/controller/admin/index.lua | 3 ++- .../luasrc/controller/mini/index.lua | 3 ++- modules/rpc/luasrc/controller/rpc.lua | 3 ++- 4 files changed, 19 insertions(+), 15 deletions(-) diff --git a/libs/web/luasrc/dispatcher.lua b/libs/web/luasrc/dispatcher.lua index 1fbdb7150c..33b95840a8 100644 --- a/libs/web/luasrc/dispatcher.lua +++ b/libs/web/luasrc/dispatcher.lua @@ -47,7 +47,12 @@ local fi -- @param ... Virtual path -- @return Relative URL function build_url(...) - return context.scriptname .. "/" .. table.concat(arg, "/") + local path = {...} + local sn = http.getenv("SCRIPT_NAME") or "" + for k, v in pairs(context.urltoken) do + sn = sn .. "/;" .. k .. "=" .. http.urlencode(v) + end + return sn .. ((#path > 0) and "/" .. table.concat(path, "/") or "") end --- Send a 404 error code and render the "error404" template if available. @@ -123,7 +128,6 @@ function dispatch(request) --context._disable_memtrace = require "luci.debug".trap_memtrace() local ctx = context ctx.path = request - ctx.scriptname = luci.http.getenv("SCRIPT_NAME") or "" ctx.urltoken = ctx.urltoken or {} require "luci.i18n".setlanguage(require "luci.config".main.lang) @@ -174,11 +178,6 @@ function dispatch(request) end end - for k, v in pairs(token) do - ctx.scriptname = ctx.scriptname .. "/;" .. k .. "=" .. - http.urlencode(v) - end - ctx.path = preq if track.i18n then @@ -202,9 +201,9 @@ function dispatch(request) local viewns = setmetatable({}, {__index=function(table, key) if key == "controller" then - return ctx.scriptname + return build_url() elseif key == "REQUEST_URI" then - return ctx.scriptname .. "/" .. table.concat(ctx.requested, "/") + return build_url(ctx.requested) else return rawget(table, key) or _G[key] end @@ -232,10 +231,11 @@ function dispatch(request) local def = (type(track.sysauth) == "string") and track.sysauth local accs = def and {track.sysauth} or track.sysauth local sess = ctx.authsession - local verifytoken = true + local verifytoken = false if not sess then sess = luci.http.getcookie("sysauth") sess = sess and sess:match("^[A-F0-9]+$") + verifytoken = true end local sdat = sauth.read(sess) @@ -250,12 +250,12 @@ function dispatch(request) if not util.contains(accs, user) then if authen then + ctx.urltoken.stok = nil local user, sess = authen(luci.sys.user.checkpasswd, accs, def) if not user or not util.contains(accs, user) then return else local sid = sess or luci.sys.uniqueid(16) - luci.http.header("Set-Cookie", "sysauth=" .. sid.."; path=/") if not sess then local token = luci.sys.uniqueid(16) sauth.write(sid, util.get_bytecode({ @@ -263,8 +263,9 @@ function dispatch(request) token=token, secret=luci.sys.uniqueid(16) })) - ctx.scriptname = ctx.scriptname .. "/;stok="..token + ctx.urltoken.stok = token end + luci.http.header("Set-Cookie", "sysauth=" .. sid.."; path="..build_url()) ctx.authsession = sid end else diff --git a/modules/admin-full/luasrc/controller/admin/index.lua b/modules/admin-full/luasrc/controller/admin/index.lua index c0322d3a2e..e2b812e8c3 100644 --- a/modules/admin-full/luasrc/controller/admin/index.lua +++ b/modules/admin-full/luasrc/controller/admin/index.lua @@ -53,8 +53,9 @@ function action_logout() local sauth = require "luci.sauth" if dsp.context.authsession then sauth.kill(dsp.context.authsession) + dsp.context.urltoken.stok = nil end - luci.http.header("Set-Cookie", "sysauth=; path=/") + luci.http.header("Set-Cookie", "sysauth=; path=" .. dsp.build_url()) luci.http.redirect(luci.dispatcher.build_url()) end \ No newline at end of file diff --git a/modules/admin-mini/luasrc/controller/mini/index.lua b/modules/admin-mini/luasrc/controller/mini/index.lua index dad6ccfab3..acff55aabb 100644 --- a/modules/admin-mini/luasrc/controller/mini/index.lua +++ b/modules/admin-mini/luasrc/controller/mini/index.lua @@ -44,8 +44,9 @@ function action_logout() local sauth = require "luci.sauth" if dsp.context.authsession then sauth.kill(dsp.context.authsession) + dsp.context.urltoken.stok = nil end - luci.http.header("Set-Cookie", "sysauth=; path=/") + luci.http.header("Set-Cookie", "sysauth=; path=" .. dsp.build_url()) luci.http.redirect(luci.dispatcher.build_url()) end \ No newline at end of file diff --git a/modules/rpc/luasrc/controller/rpc.lua b/modules/rpc/luasrc/controller/rpc.lua index d83c26d455..e0aeb3bf04 100644 --- a/modules/rpc/luasrc/controller/rpc.lua +++ b/modules/rpc/luasrc/controller/rpc.lua @@ -25,7 +25,8 @@ function index() local function authenticator(validator, accs) local auth = luci.http.formvalue("auth", true) if auth then - local user = luci.sauth.read(auth) + local sdat = luci.sauth.read(auth) + user = loadstring(sdat)().user if user and luci.util.contains(accs, user) then return user, auth end -- 2.30.2