mirror of
https://github.com/DigitalDevices/octonet.git
synced 2023-10-10 13:36:52 +02:00
added pishing frustration to updateserver.lua
Only accepts hosts which resolve to a private ipv4 address (10, 172.16-31, 192.168 This should making it harder to trick people into installing bad FW images
This commit is contained in:
parent
6da12f3a8d
commit
26df0f5dfa
@ -1,5 +1,8 @@
|
|||||||
#!/usr/bin/lua
|
#!/usr/bin/lua
|
||||||
|
|
||||||
|
local socket = require("socket")
|
||||||
|
local url = require("socket.url")
|
||||||
|
|
||||||
local host = os.getenv("HTTP_HOST")
|
local host = os.getenv("HTTP_HOST")
|
||||||
local proto = os.getenv("SERVER_PROTOCOL")
|
local proto = os.getenv("SERVER_PROTOCOL")
|
||||||
local query = os.getenv("QUERY_STRING")
|
local query = os.getenv("QUERY_STRING")
|
||||||
@ -12,6 +15,19 @@ function http_print(s)
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
function SendError(err,desc)
|
||||||
|
http_print(proto.." "..err)
|
||||||
|
http_print("Content-Type: text/html")
|
||||||
|
http_print()
|
||||||
|
local file = io.open("e404.html")
|
||||||
|
if file then
|
||||||
|
local tmp = file:read("*a")
|
||||||
|
tmp = string.gsub(tmp,"404 Not Found",err .. " " .. desc)
|
||||||
|
http_print(tmp)
|
||||||
|
file:close()
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
local hex_to_char = function(x)
|
local hex_to_char = function(x)
|
||||||
return string.char(tonumber(x,16))
|
return string.char(tonumber(x,16))
|
||||||
end
|
end
|
||||||
@ -39,12 +55,28 @@ elseif query:sub(1,4) == "set=" then
|
|||||||
if userver ~= "" then
|
if userver ~= "" then
|
||||||
userver = userver:gsub("%%(%x%x)",hex_to_char)
|
userver = userver:gsub("%%(%x%x)",hex_to_char)
|
||||||
-- userver = userver:gsub("+"," ")
|
-- userver = userver:gsub("+"," ")
|
||||||
|
local valid = false
|
||||||
|
local path = url.parse("http://"..userver)
|
||||||
|
if path.host then
|
||||||
|
local ip = socket.dns.toip(path.host)
|
||||||
|
if ip == nil then
|
||||||
|
ip = path.host
|
||||||
|
end
|
||||||
|
local p1,p2 = ip:match("(%d+)%.(%d+)%.%d+%.%d+")
|
||||||
|
p1 = tonumber(p1)
|
||||||
|
p2 = tonumber(p2)
|
||||||
|
valid = (p1 == 10) or ((p1 == 172) and (p2 >= 16) and (p2 <= 31)) or ((p1 == 192) and (p2 == 168))
|
||||||
|
end
|
||||||
|
if valid then
|
||||||
local file = io.open("/config/updateserver","w")
|
local file = io.open("/config/updateserver","w")
|
||||||
if file then
|
if file then
|
||||||
file:write(userver.."\n")
|
file:write(userver.."\n")
|
||||||
file:close()
|
file:close()
|
||||||
delimages = true
|
delimages = true
|
||||||
end
|
end
|
||||||
|
else
|
||||||
|
SendError(400, "Invalid or not local: ".. userver)
|
||||||
|
end
|
||||||
else
|
else
|
||||||
os.remove("/config/updateserver")
|
os.remove("/config/updateserver")
|
||||||
delimages = true
|
delimages = true
|
||||||
|
Loading…
Reference in New Issue
Block a user