The existing code failed to set the uci cursor save directory to the current
session path, causing the apply routine to either fail or to merge settings
from unrelated neighboring sessions, potentially leaking data.
Solve the issue by switching the uci cursor save directory to the session
directory before performing the actual apply actions.
Additionally set the save directory path to "/dev/null" during rollback, to
avoid merging unrelated system wide uci changes when restoring configs from
the snapshot directory.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The rpc_uci_replace_savedir() function removes all configured save directories
from the uci cursor instance and adds the given path argument as sole item.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Reclaim the pending apply session upon login when the username matches the
current login.
This is required to support apply-confirm-rollback workflow for ubus browser
clients, since changing IPs requires re-login to the device due to cross
domain restrictions.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The libuci `uci_set_savedir()` function does not replace, but appends the
requested delta directory to the search path, this causes information leaks
between sessions.
Due to a lack of an official api for this, clear the uci contexts private
delta path before setting the save directory.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Previously any session with access permissions for the corresponding method
was able to confirm or rollback commits initiated by another session.
Change those methods to only grant access to the initiating session.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Calling commit with rollback=false to cancel a pending rollback timer can
potentially trigger another commit if no rollback is actually pending.
This introduces a new method "confirm" which cancels the rollback timer
without any other possible side effects.
While being at it, change the return code when trying to commit during
a pending rollback or when trying to rollback without a pending timeout to
UBUS_STATUS_NO_DATA. This is needed to be able to differentiate between a
denied request and an inappropriate state.
Also change the error return code for glob() failures to the more
appropriate UBUS_STATUS_NOT_FOUND.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
