1
0
mirror of https://github.com/DigitalDevices/octonet.git synced 2023-10-10 13:36:52 +02:00

added pishing frustration to updateserver.lua

Only accepts hosts which resolve to a private ipv4 address (10,
172.16-31, 192.168
This should making it harder to trick people into installing bad FW
images
This commit is contained in:
mvoelkel 2015-10-03 17:49:06 +02:00
parent 6da12f3a8d
commit 26df0f5dfa

View File

@ -1,5 +1,8 @@
#!/usr/bin/lua #!/usr/bin/lua
local socket = require("socket")
local url = require("socket.url")
local host = os.getenv("HTTP_HOST") local host = os.getenv("HTTP_HOST")
local proto = os.getenv("SERVER_PROTOCOL") local proto = os.getenv("SERVER_PROTOCOL")
local query = os.getenv("QUERY_STRING") local query = os.getenv("QUERY_STRING")
@ -12,6 +15,19 @@ function http_print(s)
end end
end end
function SendError(err,desc)
http_print(proto.." "..err)
http_print("Content-Type: text/html")
http_print()
local file = io.open("e404.html")
if file then
local tmp = file:read("*a")
tmp = string.gsub(tmp,"404 Not Found",err .. " " .. desc)
http_print(tmp)
file:close()
end
end
local hex_to_char = function(x) local hex_to_char = function(x)
return string.char(tonumber(x,16)) return string.char(tonumber(x,16))
end end
@ -39,12 +55,28 @@ elseif query:sub(1,4) == "set=" then
if userver ~= "" then if userver ~= "" then
userver = userver:gsub("%%(%x%x)",hex_to_char) userver = userver:gsub("%%(%x%x)",hex_to_char)
-- userver = userver:gsub("+"," ") -- userver = userver:gsub("+"," ")
local valid = false
local path = url.parse("http://"..userver)
if path.host then
local ip = socket.dns.toip(path.host)
if ip == nil then
ip = path.host
end
local p1,p2 = ip:match("(%d+)%.(%d+)%.%d+%.%d+")
p1 = tonumber(p1)
p2 = tonumber(p2)
valid = (p1 == 10) or ((p1 == 172) and (p2 >= 16) and (p2 <= 31)) or ((p1 == 192) and (p2 == 168))
end
if valid then
local file = io.open("/config/updateserver","w") local file = io.open("/config/updateserver","w")
if file then if file then
file:write(userver.."\n") file:write(userver.."\n")
file:close() file:close()
delimages = true delimages = true
end end
else
SendError(400, "Invalid or not local: ".. userver)
end
else else
os.remove("/config/updateserver") os.remove("/config/updateserver")
delimages = true delimages = true