local path = {...}
local url = { http.getenv("SCRIPT_NAME") or "" }
- local k, v
- for k, v in pairs(context.urltoken) do
- url[#url+1] = "/;"
- url[#url+1] = http.urlencode(k)
- url[#url+1] = "="
- url[#url+1] = http.urlencode(v)
- end
-
local p
for _, p in ipairs(path) do
if p:match("^[a-zA-Z0-9_%-%.%%/,;]+$") then
end
end
+ if #path == 0 then
+ url[#url+1] = "/"
+ end
+
return table.concat(url, "")
end
local r = {}
context.request = r
- context.urltoken = {}
local pathinfo = http.urldecode(request:getenv("PATH_INFO") or "", true)
return false
end
+function test_post_security()
+ if http.getenv("REQUEST_METHOD") ~= "POST" then
+ http.status(405, "Method Not Allowed")
+ http.header("Allow", "POST")
+ return false
+ end
+
+ if http.formvalue("token") ~= context.authtoken then
+ http.status(403, "Forbidden")
+ luci.template.render("csrftoken")
+ return false
+ end
+
+ return true
+end
+
function dispatch(request)
--context._disable_memtrace = require "luci.debug".trap_memtrace("l")
local ctx = context
ctx.args = args
ctx.requestargs = ctx.requestargs or args
local n
- local token = ctx.urltoken
local preq = {}
local freq = {}
"Access Violation\nThe page at '" .. table.concat(request, "/") .. "/' " ..
"has no parent node so the access to this location has been denied.\n" ..
"This is a software bug, please report this message at " ..
- "http://luci.subsignal.org/trac/newticket"
+ "https://github.com/openwrt/luci/issues"
)
if track.sysauth then
end
if sess and token then
- http.header("Set-Cookie", 'sysauth=%s; path=%s/' %{
- sess, build_url()
- })
+ http.header("Set-Cookie", 'sysauth=%s; path=%s' %{ sess, build_url() })
ctx.authsession = sess
ctx.authtoken = token
end
if c and require_post_security(c.target) then
- if http.getenv("REQUEST_METHOD") ~= "POST" then
- http.status(405, "Method Not Allowed")
- http.header("Allow", "POST")
- return
- end
-
- if http.formvalue("token") ~= ctx.authtoken then
- http.status(403, "Forbidden")
- luci.template.render("csrftoken")
+ if not test_post_security(c) then
return
end
end
end
if track.setuser then
- -- trigger ubus connection before dropping root privs
- util.ubus()
-
sys.process.setuser(track.setuser)
end
projects / project / luci.git / blobdiff