X-Git-Url: https://git.archive.openwrt.org/?p=project%2Fluci.git;a=blobdiff_plain;f=libs%2Fweb%2Fluasrc%2Fsauth.lua;h=32f172dcda59a0bb5770f9cbaccb0311edd035ca;hp=7c483119cae14e9884349e5ba1c6b02e3945067c;hb=abef50b85238f9effd7e6d6b3195358a84e56ecc;hpb=37b3fba68869e1d96a46990caf02ccd67c7b93a9 diff --git a/libs/web/luasrc/sauth.lua b/libs/web/luasrc/sauth.lua index 7c483119c..32f172dcd 100644 --- a/libs/web/luasrc/sauth.lua +++ b/libs/web/luasrc/sauth.lua @@ -15,71 +15,113 @@ $Id$ --- LuCI session library. module("luci.sauth", package.seeall) -require("luci.fs") require("luci.util") require("luci.sys") require("luci.config") +local nixio = require "nixio", require "nixio.util" +local fs = require "nixio.fs" luci.config.sauth = luci.config.sauth or {} sessionpath = luci.config.sauth.sessionpath -sessiontime = tonumber(luci.config.sauth.sessiontime) - ---- Manually clean up expired sessions. -function clean() - local now = os.time() - local files = luci.fs.dir(sessionpath) - - if not files then - return nil - end - - for i, file in pairs(files) do - local fname = sessionpath .. "/" .. file - local stat = luci.fs.stat(fname) - if stat and stat.type == "regular" and stat.atime + sessiontime < now then - luci.fs.unlink(fname) - end - end -end +sessiontime = tonumber(luci.config.sauth.sessiontime) or 15 * 60 --- Prepare session storage by creating the session directory. function prepare() - luci.fs.mkdir(sessionpath) - luci.fs.chmod(sessionpath, "a-rwx,u+rwx") - + fs.mkdir(sessionpath, 700) if not sane() then error("Security Exception: Session path is not sane!") end end +local function _read(id) + local blob = fs.readfile(sessionpath .. "/" .. id) + return blob +end + +local function _write(id, data) + local f = nixio.open(sessionpath .. "/" .. id, "w", 600) + f:writeall(data) + f:close() +end + +local function _checkid(id) + return not not (id and #id == 32 and id:match("^[a-fA-F0-9]+$")) +end + +--- Write session data to a session file. +-- @param id Session identifier +-- @param data Session data table +function write(id, data) + if not sane() then + prepare() + end + + assert(_checkid(id), "Security Exception: Session ID is invalid!") + assert(type(data) == "table", "Security Exception: Session data invalid!") + + data.atime = luci.sys.uptime() + + _write(id, luci.util.get_bytecode(data)) +end + --- Read a session and return its content. -- @param id Session identifier --- @return Session data +-- @return Session data table or nil if the given id is not found function read(id) - if not id or not sane() then - return + if not id or #id == 0 then + return nil + end + + assert(_checkid(id), "Security Exception: Session ID is invalid!") + + if not sane(sessionpath .. "/" .. id) then + return nil + end + + local blob = _read(id) + local func = loadstring(blob) + setfenv(func, {}) + + local sess = func() + assert(type(sess) == "table", "Session data invalid!") + + if sess.atime and sess.atime + sessiontime < luci.sys.uptime() then + kill(id) + return nil end - clean() - return luci.fs.readfile(sessionpath .. "/" .. id) -end + -- refresh atime in session + write(id, sess) + + return sess +end --- Check whether Session environment is sane. -- @return Boolean status -function sane() - return luci.sys.process.info("uid") == luci.fs.stat(sessionpath, "uid") - and luci.fs.stat(sessionpath, "mode") == "rwx------" +function sane(file) + return luci.sys.process.info("uid") + == fs.stat(file or sessionpath, "uid") + and fs.stat(file or sessionpath, "modestr") + == (file and "rw-------" or "rwx------") end - ---- Write session data to a session file. +--- Kills a session -- @param id Session identifier --- @param data Session data -function write(id, data) - if not sane() then - prepare() +function kill(id) + assert(_checkid(id), "Security Exception: Session ID is invalid!") + fs.unlink(sessionpath .. "/" .. id) +end + +--- Remove all expired session data files +function reap() + if sane() then + local id + for id in nixio.fs.dir(sessionpath) do + if _checkid(id) then + -- reading the session will kill it if it is expired + read(id) + end + end end - luci.fs.writefile(sessionpath .. "/" .. id, data) - luci.fs.chmod(sessionpath .. "/" .. id, "a-rwx,u+rw") -end \ No newline at end of file +end