From 731ed77c0bbee7004a6b5645d9a8592a76748a1c Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Thu, 5 Apr 2018 22:37:37 +0200
Subject: [PATCH] treewide: improve handling of page redirections in uci change
 views

Instead of passing the full LuCI request url, pass the relative resolved
request path instead and filter the received value through the lookup()
dispatcher function to only allow paths to actual internal pages.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 .../luasrc/controller/admin/uci.lua                  |  3 +--
 .../luasrc/view/admin_uci/changes.htm                |  4 ++--
 .../luasrc/view/admin_uci/revert.htm                 | 12 +++++++-----
 .../luasrc/view/themes/bootstrap/header.htm          |  2 +-
 .../luasrc/view/themes/freifunk-generic/header.htm   |  2 +-
 .../luasrc/view/themes/material/header.htm           |  2 +-
 .../luasrc/view/themes/openwrt.org/header.htm        |  2 +-
 7 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/modules/luci-mod-admin-full/luasrc/controller/admin/uci.lua b/modules/luci-mod-admin-full/luasrc/controller/admin/uci.lua
index 9c33d9c18b..c3bf668521 100644
--- a/modules/luci-mod-admin-full/luasrc/controller/admin/uci.lua
+++ b/modules/luci-mod-admin-full/luasrc/controller/admin/uci.lua
@@ -5,8 +5,7 @@
 module("luci.controller.admin.uci", package.seeall)
 
 function index()
-	local redir = luci.http.formvalue("redir", true) or
-	  luci.dispatcher.build_url(unpack(luci.dispatcher.context.request))
+	local redir = luci.http.formvalue("redir", true) or table.concat(disp.context.request, "/")
 
 	entry({"admin", "uci"}, nil, _("Configuration"))
 	entry({"admin", "uci", "changes"}, call("action_changes"), _("Changes"), 40).query = {redir=redir}
diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_uci/changes.htm b/modules/luci-mod-admin-full/luasrc/view/admin_uci/changes.htm
index c3373604f3..6e725c8888 100644
--- a/modules/luci-mod-admin-full/luasrc/view/admin_uci/changes.htm
+++ b/modules/luci-mod-admin-full/luasrc/view/admin_uci/changes.htm
@@ -16,9 +16,9 @@
 <% end %>
 
 <div class="cbi-page-actions">
-	<% local r = luci.http.formvalue("redir"); if r and #r > 0 then %>
+	<% local node, url = luci.dispatcher.lookup(luci.http.formvalue("redir")); if url then %>
 	<div style="float:left">
-		<form class="inline" method="get" action="<%=luci.util.pcdata(r)%>">
+		<form class="inline" method="get" action="<%=luci.util.pcdata(url)%>">
 			<input class="cbi-button cbi-button-link" style="float:left; margin:0" type="submit" value="<%:Back%>" />
 		</form>
 	</div>
diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_uci/revert.htm b/modules/luci-mod-admin-full/luasrc/view/admin_uci/revert.htm
index 5da7281a80..20327adff3 100644
--- a/modules/luci-mod-admin-full/luasrc/view/admin_uci/revert.htm
+++ b/modules/luci-mod-admin-full/luasrc/view/admin_uci/revert.htm
@@ -18,10 +18,12 @@
 	<p><strong><%:There are no pending changes to revert!%></strong></p>
 <% end %>
 
-<div class="cbi-page-actions">
-	<form class="inline" method="get" action="<%=luci.util.pcdata(luci.http.formvalue("redir"))%>">
-		<input class="cbi-button cbi-button-link" style="margin:0" type="submit" value="<%:Back%>" />
-	</form>
-</div>
+<% local node, url = luci.dispatcher.lookup(luci.http.formvalue("redir")); if url then %>
+	<div class="cbi-page-actions">
+		<form class="inline" method="get" action="<%=luci.util.pcdata(url)%>">
+			<input class="cbi-button cbi-button-link" style="margin:0" type="submit" value="<%:Back%>" />
+		</form>
+	</div>
+<% end %>
 
 <%+footer%>
diff --git a/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm b/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm
index 78b98e0355..0441c9583e 100644
--- a/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm
+++ b/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm
@@ -147,7 +147,7 @@
 			if ucichanges > 0 then
 				write('<a class="label notice" href="%s?redir=%s">%s: %d</a>' %{
 					url(category, 'uci/changes'),
-					http.urlencode(http.formvalue('redir') or REQUEST_URI),
+					http.urlencode(http.formvalue('redir') or table.concat(disp.context.request, "/")),
 					translate('Unsaved Changes'),
 					ucichanges
 				})
diff --git a/themes/luci-theme-freifunk-generic/luasrc/view/themes/freifunk-generic/header.htm b/themes/luci-theme-freifunk-generic/luasrc/view/themes/freifunk-generic/header.htm
index 342a9d4088..8185655285 100644
--- a/themes/luci-theme-freifunk-generic/luasrc/view/themes/freifunk-generic/header.htm
+++ b/themes/luci-theme-freifunk-generic/luasrc/view/themes/freifunk-generic/header.htm
@@ -205,7 +205,7 @@ if tree.nodes[category] and tree.nodes[category].ucidata then
 -%>
 	<div id="savemenu">
 		<% if ucic > 0 then %>
-			<a class="warning" href="<%=controller%>/<%=category%>/uci/changes/?redir=<%=http.urlencode(http.formvalue("redir") or REQUEST_URI)%>"><%:Unsaved Changes%>: <%=ucic%></a>
+			<a class="warning" href="<%=controller%>/<%=category%>/uci/changes/?redir=<%=http.urlencode(http.formvalue('redir') or table.concat(disp.context.request, "/"))%>"><%:Unsaved Changes%>: <%=ucic%></a>
 		<% end -%>
 	</div>
 <% end %>
diff --git a/themes/luci-theme-material/luasrc/view/themes/material/header.htm b/themes/luci-theme-material/luasrc/view/themes/material/header.htm
index d84fd278a2..be7b9ffb85 100644
--- a/themes/luci-theme-material/luasrc/view/themes/material/header.htm
+++ b/themes/luci-theme-material/luasrc/view/themes/material/header.htm
@@ -172,7 +172,7 @@
 			if ucichanges > 0 then
 				write('<a class="label notice" href="%s?redir=%s">%s: %d</a>' %{
 					url(category, 'uci/changes'),
-					http.urlencode(http.formvalue('redir') or REQUEST_URI),
+					http.urlencode(http.formvalue('redir') or table.concat(disp.context.request, "/")),
 					translate('Unsaved Changes'),
 					ucichanges
 				})
diff --git a/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm b/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm
index ae348f3856..d6db8e885e 100644
--- a/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm
+++ b/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm
@@ -104,7 +104,7 @@
 			if ucic > 0 then
 				write('<a class="warning" href="%s?redir=%s">%s: %d</a>' %{
 					url(category, 'uci/changes'),
-					http.urlencode(http.formvalue('redir') or REQUEST_URI),
+					http.urlencode(http.formvalue('redir') or table.concat(disp.context.request, "/")),
 					translate('Unsaved Changes'),
 					ucic
 				})
-- 
2.30.2