From 4fb73b3febd0b368bee39c361dd58d56fb1829ca Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Wed, 7 Aug 2013 16:46:13 +0200 Subject: [PATCH] ubus: move sid into the params array of the json-rpc request to avoid information leakage via the post url --- ubus.c | 40 +++++++++++++++------------------------- uhttpd.h | 1 - 2 files changed, 15 insertions(+), 26 deletions(-) diff --git a/ubus.c b/ubus.c index 307daaa..8129c20 100644 --- a/ubus.c +++ b/ubus.c @@ -63,6 +63,7 @@ static const struct blobmsg_policy ses_policy[__SES_MAX] = { struct rpc_data { struct blob_attr *id; + const char *sid; const char *method; const char *object; const char *function; @@ -353,12 +354,13 @@ static void uh_ubus_send_list(struct client *cl, json_object *obj, struct blob_a static bool parse_json_rpc(struct rpc_data *d, struct blob_attr *data) { const struct blobmsg_policy data_policy[] = { + { .type = BLOBMSG_TYPE_STRING }, { .type = BLOBMSG_TYPE_STRING }, { .type = BLOBMSG_TYPE_STRING }, { .type = BLOBMSG_TYPE_TABLE }, }; struct blob_attr *tb[__RPC_MAX]; - struct blob_attr *tb2[3]; + struct blob_attr *tb2[4]; struct blob_attr *cur; blobmsg_parse(rpc_policy, __RPC_MAX, tb, blob_data(data), blob_len(data)); @@ -386,12 +388,18 @@ static bool parse_json_rpc(struct rpc_data *d, struct blob_attr *data) blobmsg_data(d->params), blobmsg_data_len(d->params)); if (tb2[0]) - d->object = blobmsg_data(tb2[0]); + d->sid = blobmsg_data(tb2[0]); + + if (conf.ubus_noauth && (!d->sid || !*d->sid)) + d->sid = UH_UBUS_DEFAULT_SID; if (tb2[1]) - d->function = blobmsg_data(tb2[1]); + d->object = blobmsg_data(tb2[1]); + + if (tb2[2]) + d->function = blobmsg_data(tb2[2]); - d->data = tb2[2]; + d->data = tb2[3]; return true; } @@ -462,7 +470,7 @@ static void uh_ubus_handle_request_object(struct client *cl, struct json_object goto error; if (!strcmp(data.method, "call")) { - if (!data.object || !data.function || !data.data) + if (!data.sid || !data.object || !data.function || !data.data) goto error; du->func = data.function; @@ -471,7 +479,7 @@ static void uh_ubus_handle_request_object(struct client *cl, struct json_object goto error; } - if (!conf.ubus_noauth && !uh_ubus_allowed(du->sid, data.object, data.function)) { + if (!conf.ubus_noauth && !uh_ubus_allowed(data.sid, data.object, data.function)) { err = ERROR_ACCESS; goto error; } @@ -549,27 +557,10 @@ error: static void uh_ubus_handle_request(struct client *cl, char *url, struct path_info *pi) { struct dispatch *d = &cl->dispatch; - char *sid, *sep; blob_buf_init(&buf, 0); - if (conf.ubus_noauth) { - sid = UH_UBUS_DEFAULT_SID; - } - else { - url += strlen(conf.ubus_prefix); - while (*url == '/') - url++; - - sep = strchr(url, '/'); - if (sep) - *sep = 0; - - sid = url; - } - - if (strlen(sid) != 32 || - cl->request.method != UH_HTTP_MSG_POST) + if (cl->request.method != UH_HTTP_MSG_POST) return ops->client_error(cl, 400, "Bad Request", "Invalid Request"); d->close_fds = uh_ubus_close_fds; @@ -577,7 +568,6 @@ static void uh_ubus_handle_request(struct client *cl, char *url, struct path_inf d->data_send = uh_ubus_data_send; d->data_done = uh_ubus_data_done; d->ubus.jstok = json_tokener_new(); - d->ubus.sid = sid; } static bool diff --git a/uhttpd.h b/uhttpd.h index 0137eef..b289a24 100644 --- a/uhttpd.h +++ b/uhttpd.h @@ -187,7 +187,6 @@ struct dispatch_ubus { struct json_object *jsobj_cur; int post_len; - const char *sid; uint32_t obj; const char *func; -- 2.25.1