Extend CBI state handling

[project/luci.git] / libs / web / luasrc / sauth.lua

diff --git a/libs/web/luasrc/sauth.lua b/libs/web/luasrc/sauth.lua
index d25f287..894732d 100644 (file)
--- a/libs/web/luasrc/sauth.lua
+++ b/libs/web/luasrc/sauth.lua
@@ -17,12 +17,13 @@ $Id$
 module("luci.sauth", package.seeall)
 require("luci.fs")
 require("luci.util")
+require("luci.sys")
 require("luci.config")
 
 
 luci.config.sauth = luci.config.sauth or {}
 sessionpath = luci.config.sauth.sessionpath
-sessiontime = tonumber(luci.config.sauth.sessiontime)
+sessiontime = tonumber(luci.config.sauth.sessiontime) or 15 * 60
 
 --- Manually clean up expired sessions.
 function clean()
@@ -46,6 +47,10 @@ end
 function prepare()
        luci.fs.mkdir(sessionpath)
        luci.fs.chmod(sessionpath, "a-rwx,u+rwx")
+        
+       if not sane() then
+               error("Security Exception: Session path is not sane!")
+       end
 end
 
 --- Read a session and return its content.
@@ -56,15 +61,28 @@ function read(id)
                return
        end
        clean()
+       if not sane(sessionpath .. "/" .. id) then
+               return
+       end
        return luci.fs.readfile(sessionpath .. "/" .. id)
 end
 
 
+--- Check whether Session environment is sane.
+-- @return Boolean status
+function sane(file)
+       return luci.sys.process.info("uid")
+                       == luci.fs.stat(file or sessionpath, "uid")
+               and luci.fs.stat(file or sessionpath, "mode")
+                       == (file and "rw-------" or "rwx------")
+end
+
+
 --- Write session data to a session file.
 -- @param id   Session identifier
 -- @param data Session data
 function write(id, data)
-       if not luci.fs.stat(sessionpath) then
+       if not sane() then
                prepare()
        end
        luci.fs.writefile(sessionpath .. "/" .. id, data)