beenull/raspap-webgui-mirror
1
0
Fork 0
mirror of https://github.com/RaspAP/raspap-webgui.git synced 2024-09-18 19:01:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1548 from RaspAP/sec/authenticate-ajax

Browse source 
Add authentication to ajax pages, thx @lts-rad
This commit is contained in:
Bill Zimmerman 2024-03-12 17:56:30 +01:00 committed by GitHub
parent e92835f89d c98d2b0c15
commit d0592b63de
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
22 changed files with 77 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ajax/adblock/update_blocklist.php
View file

@ -2,6 +2,8 @@
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
if (isset($_POST['blocklist_id'])) { if (isset($_POST['blocklist_id'])) {
$blocklist_id = escapeshellcmd($_POST['blocklist_id']); $blocklist_id = escapeshellcmd($_POST['blocklist_id']);
@ -50,4 +52,3 @@ if (isset($_POST['blocklist_id'])) {
$jsonData = ['return'=>2,'output'=>['Error getting data']]; $jsonData = ['return'=>2,'output'=>['Error getting data']];
echo json_encode($jsonData); echo json_encode($jsonData);
} }

12
ajax/bandwidth/get_bandwidth.php
View file

@ -1,8 +1,9 @@
<?php <?php
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
$interface = filter_input(INPUT_GET, 'inet', FILTER_SANITIZE_SPECIAL_CHARS); $interface = filter_input(INPUT_GET, 'inet', FILTER_SANITIZE_SPECIAL_CHARS);
if (empty($interface)) { if (empty($interface)) {
@ -13,8 +14,7 @@ if (empty($interface)) {
} else { } else {
exit('No network interfaces found.'); exit('No network interfaces found.');
} }
} }
define('IFNAMSIZ', 16); define('IFNAMSIZ', 16);
if (strlen($interface) > IFNAMSIZ) { if (strlen($interface) > IFNAMSIZ) {
exit('Interface name too long.'); exit('Interface name too long.');
@ -72,14 +72,12 @@ for ($i = count($jsonData) - 1; $i >= 0; --$i) {
$datareceived = round($jsonData[$i]['rx'] / $dsu_factor, 0); $datareceived = round($jsonData[$i]['rx'] / $dsu_factor, 0);
if ($timeunits === 'm') { if ($timeunits === 'm') {
echo '{ "date": "' , $dt->format('Y-m') , '", "rx": "' , $datareceived , echo '{ "date": "' , $dt->format('Y-m') , '", "rx": "' , $datareceived ,
'", "tx": "' , $datasend , '" }'; '", "tx": "' , $datasend , '" }';
} else { } else {
echo '{ "date": "' , $dt->format('Y-m-d') , '", "rx": "' , $datareceived , echo '{ "date": "' , $dt->format('Y-m-d') , '", "rx": "' , $datareceived ,
'", "tx": "' , $datasend , '" }'; '", "tx": "' , $datasend , '" }';
} }
} }
echo ' ]'; echo ' ]';

5
ajax/bandwidth/get_bandwidth_hourly.php
View file

@ -1,6 +1,9 @@
<?php <?php
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
if (filter_input(INPUT_GET, 'tu') == 'h') { if (filter_input(INPUT_GET, 'tu') == 'h') {

13
ajax/logging/clearlog.php
View file

@ -2,12 +2,19 @@
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
require_once '../../includes/functions.php'; require_once '../../includes/functions.php';
if (isset($_POST['logfile'])) { if (isset($_POST['logfile'])) {
$logfile = escapeshellcmd($_POST['logfile']); $logfile = escapeshellarg($_POST['logfile']);
$valid = '/(\/var\/log|\/tmp)/';
// truncate requested log file if (preg_match($valid, $logfile)) {
exec("sudo truncate -s 0 $logfile", $return); // truncate requested log file
exec("sudo truncate -s 0 $logfile", $return);
} else {
$return = 1;
}
echo json_encode($return); echo json_encode($return);
} }

5
ajax/networking/do_sys_reset.php
View file

@ -1,6 +1,8 @@
<?php <?php
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
require_once '../../includes/session.php'; require_once '../../includes/session.php';
require_once '../../includes/functions.php'; require_once '../../includes/functions.php';
@ -16,7 +18,7 @@ if (isset($_POST['csrf_token'])) {
array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'), array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'),
array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'), array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'),
); );
foreach ($configs as $config) { foreach ($configs as $config) {
try { try {
$tmp = file_get_contents($config["src"]); $tmp = file_get_contents($config["src"]);
@ -32,4 +34,3 @@ if (isset($_POST['csrf_token'])) {
} else { } else {
handleInvalidCSRFToken(); handleInvalidCSRFToken();
} }

3
ajax/networking/get_all_interfaces.php
View file

@ -1,6 +1,9 @@
<?php <?php
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
exec("ls /sys/class/net | grep -v lo", $interfaces); exec("ls /sys/class/net | grep -v lo", $interfaces);
echo json_encode($interfaces); echo json_encode($interfaces);

2
ajax/networking/get_channel.php
View file

@ -2,6 +2,8 @@
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
exec('cat '. RASPI_HOSTAPD_CONFIG, $hostapdconfig); exec('cat '. RASPI_HOSTAPD_CONFIG, $hostapdconfig);
$arrConfig = array(); $arrConfig = array();

6
ajax/networking/get_frequencies.php
View file

@ -1,7 +1,10 @@
<?php <?php
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require '../../src/RaspAP/Parsers/IwParser.php'; require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../src/RaspAP/Parsers/IwParser.php';
require_once '../../includes/authenticate.php';
if (isset($_POST['interface'])) { if (isset($_POST['interface'])) {
@ -11,4 +14,3 @@ if (isset($_POST['interface'])) {
echo json_encode($supportedFrequencies); echo json_encode($supportedFrequencies);
} }

3
ajax/networking/get_ip_summary.php
View file

@ -3,6 +3,9 @@
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/functions.php'; require_once '../../includes/functions.php';
require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
if (isset($_POST['interface'])) { if (isset($_POST['interface'])) {
$int = preg_replace('/[^a-z0-9]/', '', $_POST['interface']); $int = preg_replace('/[^a-z0-9]/', '', $_POST['interface']);

4
ajax/networking/get_netcfg.php
View file

@ -2,8 +2,10 @@
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
$interface = $_GET['iface']; $interface = $_POST['iface'];
if (isset($interface)) { if (isset($interface)) {
// fetch dnsmasq.conf settings for interface // fetch dnsmasq.conf settings for interface

10
ajax/networking/get_nl80211_band.php
View file

@ -2,12 +2,19 @@
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
require_once '../../includes/locale.php'; require_once '../../includes/locale.php';
if (isset($_POST['interface'])) { if (isset($_POST['interface'])) {
define( 'NL80211_BAND_24GHZ', 0x1 ); define( 'NL80211_BAND_24GHZ', 0x1 );
define( 'NL80211_BAND_5GHZ', 0x2 ); define( 'NL80211_BAND_5GHZ', 0x2 );
if(!preg_match('/^[a-zA-Z0-9]+$/', $_POST['interface'])) {
exit('Invalid interface name.');
}
$iface = escapeshellcmd($_POST['interface']); $iface = escapeshellcmd($_POST['interface']);
$flags = 0; $flags = 0;
@ -17,7 +24,7 @@ if (isset($_POST['interface'])) {
// get frequencies supported by device // get frequencies supported by device
exec('iw '.$phy.' info | sed -rn "s/^.*\*\s([0-9]{4})\sMHz.*/\1/p"', $frequencies); exec('iw '.$phy.' info | sed -rn "s/^.*\*\s([0-9]{4})\sMHz.*/\1/p"', $frequencies);
if (count(preg_grep('/^24[0-9]{2}/i', $frequencies)) >0) { if (count(preg_grep('/^24[0-9]{2}/i', $frequencies)) >0) {
$flags += NL80211_BAND_24GHZ; $flags += NL80211_BAND_24GHZ;
} }
@ -40,4 +47,3 @@ if (isset($_POST['interface'])) {
} }
echo json_encode($msg); echo json_encode($msg);
} }

3
ajax/networking/get_wgcfg.php
View file

@ -2,8 +2,9 @@
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
// fetch wg client.conf // fetch wg client.conf
exec('sudo cat '. RASPI_WIREGUARD_PATH.'client.conf', $return); exec('sudo cat '. RASPI_WIREGUARD_PATH.'client.conf', $return);
echo implode(PHP_EOL,$return); echo implode(PHP_EOL,$return);

6
ajax/networking/get_wgkey.php
View file

@ -2,17 +2,19 @@
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
$entity = escapeshellcmd($_POST['entity']); $entity = escapeshellcmd($_POST['entity']);
if (isset($entity)) { if (isset($entity)) {
// generate public/private key pairs for entity // generate public/private key pairs for entity
$pubkey = RASPI_WIREGUARD_PATH.$entity.'-public.key'; $pubkey = RASPI_WIREGUARD_PATH.$entity.'-public.key';
$privkey = RASPI_WIREGUARD_PATH.$entity.'-private.key'; $privkey = RASPI_WIREGUARD_PATH.$entity.'-private.key';
$pubkey_tmp = '/tmp/'.$entity.'-public.key'; $pubkey_tmp = '/tmp/'.$entity.'-public.key';
$privkey_tmp = '/tmp/'.$entity.'-private.key'; $privkey_tmp = '/tmp/'.$entity.'-private.key';
exec("sudo wg genkey | tee $privkey_tmp | wg pubkey > $pubkey_tmp", $return); exec("sudo wg genkey | tee $privkey_tmp | wg pubkey > $pubkey_tmp", $return);
$wgdata['pubkey'] = str_replace("\n",'',file_get_contents($pubkey_tmp)); $wgdata['pubkey'] = str_replace("\n",'',file_get_contents($pubkey_tmp));
exec("sudo mv $privkey_tmp $privkey", $return); exec("sudo mv $privkey_tmp $privkey", $return);

4
ajax/networking/wifi_stations.php
View file

@ -2,6 +2,8 @@
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
require_once '../../includes/defaults.php'; require_once '../../includes/defaults.php';
require_once '../../includes/functions.php'; require_once '../../includes/functions.php';
require_once '../../includes/wifi_functions.php'; require_once '../../includes/wifi_functions.php';
@ -14,7 +16,7 @@ knownWifiStations($networks);
nearbyWifiStations($networks, !isset($_REQUEST["refresh"])); nearbyWifiStations($networks, !isset($_REQUEST["refresh"]));
connectedWifiStations($networks); connectedWifiStations($networks);
sortNetworksByRSSI($networks); sortNetworksByRSSI($networks);
foreach ($networks as $ssid => $network) $networks[$ssid]["ssidutf8"] = ssid2utf8( $ssid ); foreach ($networks as $ssid => $network) $networks[$ssid]["ssidutf8"] = ssid2utf8( $ssid );
$connected = array_filter($networks, function($n) { return $n['connected']; } ); $connected = array_filter($networks, function($n) { return $n['connected']; } );
$known = array_filter($networks, function($n) { return !$n['connected'] && $n['configured']; } ); $known = array_filter($networks, function($n) { return !$n['connected'] && $n['configured']; } );

3
ajax/openvpn/activate_ovpncfg.php
View file

@ -2,6 +2,8 @@
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
require_once '../../includes/functions.php'; require_once '../../includes/functions.php';
if (isset($_POST['cfg_id'])) { if (isset($_POST['cfg_id'])) {
@ -24,4 +26,3 @@ if (isset($_POST['cfg_id'])) {
echo json_encode($return); echo json_encode($return);
} }

3
ajax/openvpn/del_ovpncfg.php
View file

@ -2,6 +2,8 @@
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
require_once '../../includes/functions.php'; require_once '../../includes/functions.php';
if (isset($_POST['cfg_id'])) { if (isset($_POST['cfg_id'])) {
@ -11,4 +13,3 @@ if (isset($_POST['cfg_id'])) {
$jsonData = ['return'=>$return]; $jsonData = ['return'=>$return];
echo json_encode($jsonData); echo json_encode($jsonData);
} }

4
ajax/system/sys_actions.php
View file

@ -1,6 +1,9 @@
<?php <?php
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
$action = escapeshellcmd($_POST['a']); $action = escapeshellcmd($_POST['a']);
@ -18,4 +21,3 @@ if (isset($action)) {
} }
echo json_encode($response); echo json_encode($response);
} }

3
ajax/system/sys_debug.php
View file

@ -2,6 +2,8 @@
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
if (isset($_POST['csrf_token'])) { if (isset($_POST['csrf_token'])) {
if (csrfValidateRequest() && !CSRFValidate()) { if (csrfValidateRequest() && !CSRFValidate()) {
@ -20,4 +22,3 @@ if (isset($_POST['csrf_token'])) {
} else { } else {
handleInvalidCSRFToken(); handleInvalidCSRFToken();
} }

5
ajax/system/sys_get_logfile.php
View file

@ -1,7 +1,9 @@
<?php <?php
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
$tempDir = sys_get_temp_dir(); $tempDir = sys_get_temp_dir();
$filePath = $tempDir . DIRECTORY_SEPARATOR . RASPI_DEBUG_LOG; $filePath = $tempDir . DIRECTORY_SEPARATOR . RASPI_DEBUG_LOG;
@ -19,4 +21,3 @@ if (isset($filePath)) {
header('Location: '.'/system_info'); header('Location: '.'/system_info');
exit(); exit();
} }

4
ajax/system/sys_perform_update.php
View file

@ -1,6 +1,9 @@
<?php <?php
require '../../includes/csrf.php'; require '../../includes/csrf.php';
require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
if (isset($_POST['csrf_token'])) { if (isset($_POST['csrf_token'])) {
if (csrfValidateRequest() && !CSRFValidate()) { if (csrfValidateRequest() && !CSRFValidate()) {
@ -18,4 +21,3 @@ if (isset($_POST['csrf_token'])) {
} else { } else {
handleInvalidCSRFToken(); handleInvalidCSRFToken();
} }

5
ajax/system/sys_read_logfile.php
View file

@ -1,5 +1,9 @@
<?php <?php
require_once '../../includes/config.php';
require_once '../../src/RaspAP/Auth/HTTPAuth.php';
require_once '../../includes/authenticate.php';
$logFile = '/tmp/raspap_install.log'; $logFile = '/tmp/raspap_install.log';
$searchStrings = [ $searchStrings = [
'Configure update' => 1, 'Configure update' => 1,
@ -40,4 +44,3 @@ if (file_exists($logFile)) {
} else { } else {
echo json_encode("File does not exist: $logFile"); echo json_encode("File does not exist: $logFile");
} }

3
app/js/custom.js
View file

@ -216,7 +216,8 @@ Option toggles are set dynamically depending on the loaded configuration
*/ */
function loadInterfaceDHCPSelect() { function loadInterfaceDHCPSelect() {
var strInterface = $('#cbxdhcpiface').val(); var strInterface = $('#cbxdhcpiface').val();
$.get('ajax/networking/get_netcfg.php?iface='+strInterface,function(data){ var csrfToken = $('meta[name=csrf_token]').attr('content');
$.post('ajax/networking/get_netcfg.php', {'iface' : strInterface, 'csrf_token': csrfToken}, function(data){
jsonData = JSON.parse(data); jsonData = JSON.parse(data);
$('#dhcp-iface')[0].checked = jsonData.DHCPEnabled; $('#dhcp-iface')[0].checked = jsonData.DHCPEnabled;
$('#txtipaddress').val(jsonData.StaticIP); $('#txtipaddress').val(jsonData.StaticIP);