luci-base: Bug in resolve_firstchild results in 403 Forbidden
mikma opened this issue · 2 comments
mikma commented
A bug in resolve_firstchild means it may return a page the user hasn't access to causing 403 Forbidden, A patch which fixes the bug is included at the bottom.
The following can reproduce the problem:
- Create a user such as test in the openwrt shell, and set the password (the script below expects "test"):
echo "test::0:0:99999:7:::" >> /etc/shadow
echo "test:x:1047:100:Test user:/tmp:/bin/false" >> /etc/passwd
passwd test
- Add a login section to rpcd for the user:
uci batch <<EOF
add rpcd login
set rpcd.@login[-1].username='test'
set rpcd.@login[-1].password='\$p\$test'
add_list rpcd.@login[-1].read='unauthenticated'
add_list rpcd.@login[-1].read='luci-base'
commit rpcd
EOF
- Add a menu item:
cat > /usr/share/luci/menu.d/test-acl.json <<EOF
{
"admin/system/test-acl": {
"title": "Test ACL",
"order": 100,
"action": {
"type": "template",
"path": "test_acl"
}
}
}
EOF
- Add a page template:
cat > /usr/share/ucode/luci/template/test_acl.ut <<EOF
{% include('header') %}
<p>Hello World</p>
{% include('footer') %}
EOF
- Run the following function with the hostname/IP address as the argument:
run_test() {
hostname=$1
tmpfile=$(mktemp)
cookiefile=$(mktemp)
curl --silent --cookie-jar $cookiefile --location --data-urlencode "luci_username=test" --data-urlencode "luci_password=test" "http://$hostname/cgi-bin/luci/" > $tmpfile
if ! grep "Hello World" $tmpfile >/dev/null; then
echo "Test FAILED"
else
echo "Test PASSED"
fi
rm "$tmpfile"
rm "$cookiefile"
}
run_test 192.168.0.1
Actual behavior:
Test FAILED
Expected behavior:
Test PASSED
Additional Information:
OpenWrt version information from system /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='SNAPSHOT'
DISTRIB_REVISION='r27041-7686ce4a91'
DISTRIB_TARGET='x86/64'
DISTRIB_ARCH='x86_64'
DISTRIB_DESCRIPTION='OpenWrt SNAPSHOT r27041-7686ce4a91'
DISTRIB_TAINTS=''
Patch
--- /usr/share/ucode/luci/dispatcher.uc.orig 2024-07-30 19:31:27.890643889 +0000
+++ /usr/share/ucode/luci/dispatcher.uc 2024-07-30 19:31:39.122534632 +0000
@@ -582,7 +582,7 @@
session = is_authenticated(node.auth);
let cacl = child.depends?.acl;
- let login = login_allowed || child.auth?.login;
+ let login = !session && (login_allowed || child.auth?.login);
if (login || check_acl_depends(cacl, session?.acls?.["access-group"]) != null) {
if (child.title && type(child.action) == "object") {
mikma commented
Another user posted a question about the the same problem in the forum last year:
Luci JS: How to Prevent the Root URL from Opening an ACL-Restricted Item
jow- commented
Fixed, thanks!