From 8bb749ecc3b5f7f836f744f0056e90ac78522926 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 20 Oct 2015 22:17:23 +0200 Subject: [PATCH] luci-mod-admin-full: protect network post actions with csrf tokens Signed-off-by: Jo-Philipp Wich --- .../luasrc/controller/admin/network.lua | 57 ++++++++----------- .../luasrc/view/admin_network/diagnostics.htm | 4 +- .../view/admin_network/iface_overview.htm | 14 ++++- .../luasrc/view/admin_network/wifi_join.htm | 8 ++- .../view/admin_network/wifi_overview.htm | 29 ++++++++-- 5 files changed, 67 insertions(+), 45 deletions(-) diff --git a/modules/luci-mod-admin-full/luasrc/controller/admin/network.lua b/modules/luci-mod-admin-full/luasrc/controller/admin/network.lua index 6e578e013..879e54b24 100644 --- a/modules/luci-mod-admin-full/luasrc/controller/admin/network.lua +++ b/modules/luci-mod-admin-full/luasrc/controller/admin/network.lua @@ -1,5 +1,5 @@ -- Copyright 2008 Steven Barth --- Copyright 2011 Jo-Philipp Wich +-- Copyright 2011-2015 Jo-Philipp Wich -- Licensed to the public under the Apache License 2.0. module("luci.controller.admin.network", package.seeall) @@ -43,22 +43,22 @@ function index() end) if has_wifi then - page = entry({"admin", "network", "wireless_join"}, call("wifi_join"), nil) + page = entry({"admin", "network", "wireless_join"}, post("wifi_join"), nil) page.leaf = true - page = entry({"admin", "network", "wireless_add"}, call("wifi_add"), nil) + page = entry({"admin", "network", "wireless_add"}, post("wifi_add"), nil) page.leaf = true - page = entry({"admin", "network", "wireless_delete"}, call("wifi_delete"), nil) + page = entry({"admin", "network", "wireless_delete"}, post("wifi_delete"), nil) page.leaf = true page = entry({"admin", "network", "wireless_status"}, call("wifi_status"), nil) page.leaf = true - page = entry({"admin", "network", "wireless_reconnect"}, call("wifi_reconnect"), nil) + page = entry({"admin", "network", "wireless_reconnect"}, post("wifi_reconnect"), nil) page.leaf = true - page = entry({"admin", "network", "wireless_shutdown"}, call("wifi_shutdown"), nil) + page = entry({"admin", "network", "wireless_shutdown"}, post("wifi_shutdown"), nil) page.leaf = true page = entry({"admin", "network", "wireless"}, arcombine(template("admin_network/wifi_overview"), cbi("admin_network/wifi")), _("Wifi"), 15) @@ -85,16 +85,16 @@ function index() page = entry({"admin", "network", "iface_add"}, cbi("admin_network/iface_add"), nil) page.leaf = true - page = entry({"admin", "network", "iface_delete"}, call("iface_delete"), nil) + page = entry({"admin", "network", "iface_delete"}, post("iface_delete"), nil) page.leaf = true page = entry({"admin", "network", "iface_status"}, call("iface_status"), nil) page.leaf = true - page = entry({"admin", "network", "iface_reconnect"}, call("iface_reconnect"), nil) + page = entry({"admin", "network", "iface_reconnect"}, post("iface_reconnect"), nil) page.leaf = true - page = entry({"admin", "network", "iface_shutdown"}, call("iface_shutdown"), nil) + page = entry({"admin", "network", "iface_shutdown"}, post("iface_shutdown"), nil) page.leaf = true page = entry({"admin", "network", "network"}, arcombine(cbi("admin_network/network"), cbi("admin_network/ifaces")), _("Interfaces"), 10) @@ -138,44 +138,33 @@ function index() page.title = _("Diagnostics") page.order = 60 - page = entry({"admin", "network", "diag_ping"}, call("diag_ping"), nil) + page = entry({"admin", "network", "diag_ping"}, post("diag_ping"), nil) page.leaf = true - page = entry({"admin", "network", "diag_nslookup"}, call("diag_nslookup"), nil) + page = entry({"admin", "network", "diag_nslookup"}, post("diag_nslookup"), nil) page.leaf = true - page = entry({"admin", "network", "diag_traceroute"}, call("diag_traceroute"), nil) + page = entry({"admin", "network", "diag_traceroute"}, post("diag_traceroute"), nil) page.leaf = true - page = entry({"admin", "network", "diag_ping6"}, call("diag_ping6"), nil) + page = entry({"admin", "network", "diag_ping6"}, post("diag_ping6"), nil) page.leaf = true - page = entry({"admin", "network", "diag_traceroute6"}, call("diag_traceroute6"), nil) + page = entry({"admin", "network", "diag_traceroute6"}, post("diag_traceroute6"), nil) page.leaf = true -- end end function wifi_join() - local function param(x) - return luci.http.formvalue(x) - end - - local function ptable(x) - x = param(x) - return x and (type(x) ~= "table" and { x } or x) or {} - end - - local dev = param("device") - local ssid = param("join") + local tpl = require "luci.template" + local http = require "luci.http" + local dev = http.formvalue("device") + local ssid = http.formvalue("join") if dev and ssid then - local cancel = (param("cancel") or param("cbi.cancel")) and true or false - - if cancel then - luci.http.redirect(luci.dispatcher.build_url("admin/network/wireless_join?device=" .. dev)) - else + local cancel = (http.formvalue("cancel") or http.formvalue("cbi.cancel")) + if not cancel then local cbi = require "luci.cbi" - local tpl = require "luci.template" local map = luci.cbi.load("admin_network/wifi_add")[1] if map:parse() ~= cbi.FORM_DONE then @@ -183,10 +172,12 @@ function wifi_join() map:render() tpl.render("footer") end + + return end - else - luci.template.render("admin_network/wifi_join") end + + tpl.render("admin_network/wifi_join") end function wifi_add() diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_network/diagnostics.htm b/modules/luci-mod-admin-full/luasrc/view/admin_network/diagnostics.htm index e06a88deb..685082a33 100644 --- a/modules/luci-mod-admin-full/luasrc/view/admin_network/diagnostics.htm +++ b/modules/luci-mod-admin-full/luasrc/view/admin_network/diagnostics.htm @@ -34,7 +34,7 @@ local has_traceroute6 = fs.access("/usr/bin/traceroute6") legend.parentNode.style.display = 'block'; legend.style.display = 'inline'; - stxhr.get('<%=url('admin/network')%>/diag_' + tool + protocol + '/' + addr, null, + stxhr.post('<%=url('admin/network')%>/diag_' + tool + protocol + '/' + addr, { token: '<%=token%>' }, function(x) { if (x.responseText) @@ -53,7 +53,7 @@ local has_traceroute6 = fs.access("/usr/bin/traceroute6") } //]]> -
"> +

<%:Diagnostics%>

diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_network/iface_overview.htm b/modules/luci-mod-admin-full/luasrc/view/admin_network/iface_overview.htm index 4cdf2df95..9a77f8910 100644 --- a/modules/luci-mod-admin-full/luasrc/view/admin_network/iface_overview.htm +++ b/modules/luci-mod-admin-full/luasrc/view/admin_network/iface_overview.htm @@ -49,7 +49,7 @@ s.innerHTML = '<%:Waiting for changes to be applied...%>'; } - XHR.get('<%=url('admin/network')%>/iface_' + (reconnect ? 'reconnect' : 'shutdown') + '/' + id, null, + (new XHR()).post('<%=url('admin/network')%>/iface_' + (reconnect ? 'reconnect' : 'shutdown') + '/' + id, { token: '<%=token%>' }, function(x) { if (s) @@ -66,6 +66,16 @@ ); } + function iface_delete(id) { + if (!confirm('<%:Really delete this interface? The deletion cannot be undone!\nYou might lose access to this device if you are connected via this interface.%>')) + return; + + (new XHR()).post('<%=url('admin/network/iface_delete')%>/' + id, { token: '<%=token%>' }, + function(x) { + location.href = '<%=url('admin/network/network')%>'; + } + ); + } var iwxhr = new XHR(); var wifidevs = <%=luci.http.write_json(netdevs)%>; @@ -240,7 +250,7 @@ '" title="<%:Edit this interface%>" value="<%:Edit%>" id="<%=net[1]%>-ifc-edit" /> - '" title="<%:Delete this interface%>" value="<%:Delete%>" /> + <% end %> diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_join.htm b/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_join.htm index 671d16ed0..3533c6fa4 100644 --- a/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_join.htm +++ b/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_join.htm @@ -1,5 +1,5 @@ <%# - Copyright 2009 Jo-Philipp Wich + Copyright 2009-2015 Jo-Philipp Wich Licensed to the public under the Apache License 2.0. -%> @@ -109,7 +109,8 @@ Encryption: <%=format_wifi_encryption(net.encryption)%> - + + @@ -138,7 +139,8 @@ " method="get"> -
+ +
diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_overview.htm b/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_overview.htm index 17afe0d6c..f82d06dcd 100644 --- a/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_overview.htm +++ b/modules/luci-mod-admin-full/luasrc/view/admin_network/wifi_overview.htm @@ -149,7 +149,7 @@ st.innerHTML = '<%:Wireless is restarting...%>'; } - XHR.get('<%=url('admin/network')%>/wireless_' + (reconnect ? 'reconnect' : 'shutdown') + '/' + id, null, + (new XHR()).post('<%=url('admin/network')%>/wireless_' + (reconnect ? 'reconnect' : 'shutdown') + '/' + id, { token: '<%=token%>' }, function(x) { if (s) @@ -167,6 +167,17 @@ ); } + function wifi_delete(id) { + if (!confirm('<%:Really delete this wireless network? The deletion cannot be undone!\nYou might lose access to this device if you are connected via this network.%>')) + return; + + (new XHR()).post('<%=url('admin/network/wireless_delete')%>/' + id, { token: '<%=token%>' }, + function(x) { + location.href = '<%=url('admin/network/wireless')%>'; + } + ); + } + XHR.poll(5, '<%=url('admin/network/wireless_status', table.concat(netlist, ","))%>', null, function(x, st) { @@ -370,8 +381,16 @@ - ?device=<%=dev:name()%>'" title="<%:Find and join network%>" value="<%:Scan%>" /> - ?device=<%=dev:name()%>'" title="<%:Provide new network%>" value="<%:Add%>" /> +
+ + + +
+
+ + + +
@@ -391,7 +410,7 @@ - '" title="<%:Delete this network%>" value="<%:Remove%>" /> + <% end %> @@ -410,7 +429,7 @@ <% end %> -

<%:Associated Stations%>

+

<%:Associated Stations%>

-- 2.25.1