X-Git-Url: http://git.archive.openwrt.org/?p=project%2Fluci.git;a=blobdiff_plain;f=modules%2Fluci-base%2Fluasrc%2Fdispatcher.lua;h=0876ce658580cf2848f419dd3411638b3f59aaa7;hp=bb02912f4b21543cec6524e49f030457b267683b;hb=9652d44ef20d5ffcf65df319653590426029ebce;hpb=86326e0deff92a485ffd47e22ac70194abb3fd66 diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index bb02912f4..0876ce658 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -27,14 +27,6 @@ function build_url(...) local path = {...} local url = { http.getenv("SCRIPT_NAME") or "" } - local k, v - for k, v in pairs(context.urltoken) do - url[#url+1] = "/;" - url[#url+1] = http.urlencode(k) - url[#url+1] = "=" - url[#url+1] = http.urlencode(v) - end - local p for _, p in ipairs(path) do if p:match("^[a-zA-Z0-9_%-%.%%/,;]+$") then @@ -43,6 +35,10 @@ function build_url(...) end end + if #path == 0 then + url[#url+1] = "/" + end + return table.concat(url, "") end @@ -128,7 +124,6 @@ function httpdispatch(request, prefix) local r = {} context.request = r - context.urltoken = {} local pathinfo = http.urldecode(request:getenv("PATH_INFO") or "", true) @@ -177,6 +172,22 @@ local function require_post_security(target) return false end +function test_post_security() + if http.getenv("REQUEST_METHOD") ~= "POST" then + http.status(405, "Method Not Allowed") + http.header("Allow", "POST") + return false + end + + if http.formvalue("token") ~= context.authtoken then + http.status(403, "Forbidden") + luci.template.render("csrftoken") + return false + end + + return true +end + function dispatch(request) --context._disable_memtrace = require "luci.debug".trap_memtrace("l") local ctx = context @@ -186,6 +197,7 @@ function dispatch(request) assert(conf.main, "/etc/config/luci seems to be corrupt, unable to find section 'main'") + local i18n = require "luci.i18n" local lang = conf.main.lang or "auto" if lang == "auto" then local aclang = http.getenv("HTTP_ACCEPT_LANGUAGE") or "" @@ -197,7 +209,10 @@ function dispatch(request) end end end - require "luci.i18n".setlanguage(lang) + if lang == "auto" then + lang = i18n.default + end + i18n.setlanguage(lang) local c = ctx.tree local stat @@ -210,7 +225,6 @@ function dispatch(request) ctx.args = args ctx.requestargs = ctx.requestargs or args local n - local token = ctx.urltoken local preq = {} local freq = {} @@ -263,6 +277,13 @@ function dispatch(request) if cond then local env = getfenv(3) local scope = (type(env.self) == "table") and env.self + if type(val) == "table" then + if not next(val) then + return '' + else + val = util.serialize_json(val) + end + end return string.format( ' %s="%s"', tostring(key), util.pcdata(tostring( val @@ -307,7 +328,7 @@ function dispatch(request) "Access Violation\nThe page at '" .. table.concat(request, "/") .. "/' " .. "has no parent node so the access to this location has been denied.\n" .. "This is a software bug, please report this message at " .. - "http://luci.subsignal.org/trac/newticket" + "https://github.com/openwrt/luci/issues" ) if track.sysauth then @@ -361,9 +382,7 @@ function dispatch(request) end if sess and token then - http.header("Set-Cookie", 'sysauth=%s; path=%s/' %{ - sess, build_url() - }) + http.header("Set-Cookie", 'sysauth=%s; path=%s' %{ sess, build_url() }) ctx.authsession = sess ctx.authtoken = token @@ -384,15 +403,7 @@ function dispatch(request) end if c and require_post_security(c.target) then - if http.getenv("REQUEST_METHOD") ~= "POST" then - http.status(405, "Method Not Allowed") - http.header("Allow", "POST") - return - end - - if http.formvalue("token") ~= ctx.authtoken then - http.status(403, "Forbidden") - luci.template.render("csrftoken") + if not test_post_security(c) then return end end @@ -402,9 +413,6 @@ function dispatch(request) end if track.setuser then - -- trigger ubus connection before dropping root privs - util.ubus() - sys.process.setuser(track.setuser) end