Changeset 3903

Timestamp:

12/14/08 22:43:10 (5 years ago)

Author:

Cyrus

Message:

Implement URL tokens
Add basic XSRF protection

Location:

luci/trunk

Files:

• libs/web/luasrc/dispatcher.lua (modified) (9 diffs)
• modules/rpc/luasrc/controller/rpc.lua (modified) (1 diff)

luci/trunk/libs/web/luasrc/dispatcher.lua

@@ -48 +48 @@
 -- @return      Relative URL
 function build_url(...)
-    return luci.http.getenv("SCRIPT_NAME") .. "/" .. table.concat(arg, "/")
+    return context.scriptname .. "/" .. table.concat(arg, "/")
 end
 
@@ -124 +124 @@
     local ctx = context
     ctx.path = request
+    ctx.scriptname = luci.http.getenv("SCRIPT_NAME") or ""
+    ctx.urltoken   = ctx.urltoken or {}
 
     require "luci.i18n".setlanguage(require "luci.config".main.lang)
@@ -138 +140 @@
     ctx.requestargs = ctx.requestargs or args
     local n
+    local t = true
+    local token = ctx.urltoken
+    local preq = {}
 
     for i, s in ipairs(request) do
-        c = c.nodes[s]
-        n = i
-        if not c then
-            break
-        end
-
-        util.update(track, c)
-
-        if c.leaf then
-            break
+        local tkey, tval
+        if t then
+            tkey, tval = s:match(";(%w+)=(.*)")
+        end
+
+        if tkey then
+            token[tkey] = tval
+        else
+            t = false
+            preq[#preq+1] = s
+            c = c.nodes[s]
+            n = i
+            if not c then
+                break
+            end
+
+            util.update(track, c)
+
+            if c.leaf then
+                break
+            end
         end
     end
@@ -158 +174 @@
         end
     end
+
+    for k, v in pairs(token) do
+        ctx.scriptname = ctx.scriptname .. "/;" .. k .. "=" ..
+            http.urlencode(v)
+    end
+
+    ctx.path = preq
 
     if track.i18n then
@@ -178 +201 @@
         end
 
-        local viewns = setmetatable({}, {__index=_G})
+        local viewns = setmetatable({}, {__index=function(table, key)
+            if key == "controller" then
+                return ctx.scriptname
+            elseif key == "REQUEST_URI" then
+                return ctx.scriptname .. "/" .. table.concat(ctx.requested, "/")
+            else
+                return rawget(table, key) or _G[key]
+            end
+        end})
         tpl.context.viewns = viewns
         viewns.write       = luci.http.write
@@ -184 +215 @@
         viewns.translate   = function(...) return require("luci.i18n").translate(...) end
         viewns.striptags   = util.striptags
-        viewns.controller  = luci.http.getenv("SCRIPT_NAME")
         viewns.media       = media
         viewns.theme       = fs.basename(media)
         viewns.resource    = luci.config.main.resourcebase
-        viewns.REQUEST_URI = (luci.http.getenv("SCRIPT_NAME") or "") .. (luci.http.getenv("PATH_INFO") or "")
     end
 
@@ -203 +232 @@
         local def  = (type(track.sysauth) == "string") and track.sysauth
         local accs = def and {track.sysauth} or track.sysauth
-        local sess = ctx.authsession or luci.http.getcookie("sysauth")
-        sess = sess and sess:match("^[A-F0-9]+$")
-        local user = sauth.read(sess)
+        local sess = ctx.authsession
+        local verifytoken = true
+        if not sess then
+            sess = luci.http.getcookie("sysauth")
+            sess = sess and sess:match("^[A-F0-9]+$")
+        end
+
+        local sdat = sauth.read(sess)
+        local user
+
+        if sdat then
+            sdat = loadstring(sdat)()
+            if not verifytoken or ctx.urltoken.stok == sdat.token then
+                user = sdat.user
+            end
+        end
 
         if not util.contains(accs, user) then
@@ -216 +258 @@
                     luci.http.header("Set-Cookie", "sysauth=" .. sid.."; path=/")
                     if not sess then
-                        sauth.write(sid, user)
+                        local token = luci.sys.uniqueid(16)
+                        sauth.write(sid, util.get_bytecode({
+                            user=user,
+                            token=token,
+                            secret=luci.sys.uniqueid(16)
+                        }))
+                        ctx.scriptname = ctx.scriptname .. "/;stok="..token
                     end
                     ctx.authsession = sid
@@ -224 +272 @@
                 return
             end
+        else
+            ctx.authsession = sess
         end
     end

luci/trunk/modules/rpc/luasrc/controller/rpc.lua

@@ -53 +53 @@
     local sys     = require "luci.sys"
     local ltn12   = require "luci.ltn12"
+    local util    = require "luci.util"
     
     local loginstat
     
     local server = {}
-    server.login = function(user, pass)
-        local sid
-        
+    server.challenge = function(user, pass)
+        local sid, token, secret
+
         if sys.user.checkpasswd(user, pass) then
             sid = sys.uniqueid(16)
+            token = sys.uniqueid(16)
+            secret = sys.uniqueid(16)
+
             http.header("Set-Cookie", "sysauth=" .. sid.."; path=/")
-            sauth.write(sid, user)
+            sauth.write(sid, util.get_bytecode({
+                user=user,
+                token=token,
+                secret=secret
+            }))
         end
         
-        return sid
+        return sid and {sid=sid, token=token, secret=secret}
+    end
+
+    server.login = function(...)
+        local challenge = server.challenge(...)
+        return challenge and challenge.sid
     end