X-Git-Url: http://git.archive.openwrt.org/?p=project%2Fluci.git;a=blobdiff_plain;f=modules%2Fluci-base%2Fluasrc%2Fhttp.lua;h=f1d7d6a93e77cdb9b7ba2d4219e299b866838d36;hp=a92d8affb65628505751ab80f705aa58e966de7a;hb=8f66de12c190952e23e6d7c41a52b2868c203beb;hpb=cd24ad05a4a87e5bb37a64a26a72e609b523c640;ds=sidebyside diff --git a/modules/luci-base/luasrc/http.lua b/modules/luci-base/luasrc/http.lua index a92d8affb..f1d7d6a93 100644 --- a/modules/luci-base/luasrc/http.lua +++ b/modules/luci-base/luasrc/http.lua @@ -7,6 +7,7 @@ local util = require "luci.util" local string = require "string" local coroutine = require "coroutine" local table = require "table" +local lhttp = require "lucihttp" local ipairs, pairs, next, type, tostring, error = ipairs, pairs, next, type, tostring, error @@ -73,10 +74,7 @@ function Request.content(self) end function Request.getcookie(self, name) - local c = string.gsub(";" .. (self:getenv("HTTP_COOKIE") or "") .. ";", "%s*;%s*", ";") - local p = ";" .. name .. "=(.-);" - local i, j, value = c:find(p) - return value and urldecode(value) + return lhttp.header_attribute("cookie; " .. (self:getenv("HTTP_COOKIE") or ""), name) end function Request.getenv(self, name) @@ -89,6 +87,31 @@ end function Request.setfilehandler(self, callback) self.filehandler = callback + + if not self.parsed_input then + return + end + + -- If input has already been parsed then uploads are stored as unlinked + -- temporary files pointed to by open file handles in the parameter + -- value table. Loop all params, and invoke the file callback for any + -- param with an open file handle. + local name, value + for name, value in pairs(self.message.params) do + if type(value) == "table" then + while value.fd do + local data = value.fd:read(1024) + local eof = (not data or data == "") + + callback(value, data, eof) + + if eof then + value.fd:close() + value.fd = nil + end + end + end + end end function Request._parse_input(self) @@ -193,7 +216,15 @@ function write(content, src_err) header("Cache-Control", "no-cache") header("Expires", "0") end - + if not context.headers["x-frame-options"] then + header("X-Frame-Options", "SAMEORIGIN") + end + if not context.headers["x-xss-protection"] then + header("X-XSS-Protection", "1; mode=block") + end + if not context.headers["x-content-type-options"] then + header("X-Content-Type-Options", "nosniff") + end context.eoh = true coroutine.yield(3) @@ -208,28 +239,29 @@ function splice(fd, size) end function redirect(url) + if url == "" then url = "/" end status(302, "Found") header("Location", url) close() end function build_querystring(q) - local s = { "?" } + local s, n, k, v = {}, 1, nil, nil for k, v in pairs(q) do - if #s > 1 then s[#s+1] = "&" end - - s[#s+1] = urldecode(k) - s[#s+1] = "=" - s[#s+1] = urldecode(v) + s[n+0] = (n == 1) and "?" or "&" + s[n+1] = util.urlencode(k) + s[n+2] = "=" + s[n+3] = util.urlencode(v) + n = n + 4 end return table.concat(s, "") end -urldecode = protocol.urldecode +urldecode = util.urldecode -urlencode = protocol.urlencode +urlencode = util.urlencode function write_json(x) util.serialize_json(x, write)