Implement a new "cgi-exec" applet which allows to invoke remote commands
and stream their stdandard output back to the client via HTTP. This is
needed in cases where large amounts of data or binary encoded contents
such as tar archives need to be transferred, which are unsuitable to be
transported via ubus directly.
The exec call is guarded by the same ACL semantics as rpcd's file plugin,
means in order to be able to execute a command remotely, the ubus session
identified by the given session ID must have read access to the "exec"
function of the "cgi-io" scope and an explicit "exec" permission rule for
the invoked command in the "file" scope.
In order to initiate a transfer, a POST request in x-www-form-urlencoded
format must be sent to the applet, with one field "sessionid" holding
the login session and another field "command" specifiying the commandline
to invoke.
Further optional fields are "filename" which - if present - will cause
the download applet to set a Content-Dispostition header and "mimetype"
which allows to let the applet respond with a specific type instead of
the default "application/octet-stream".
Below is an example for the required ACL rules to grant exec access to
both the "date" and "iptables" commands. The "date" rule specifies the
base name of the executable and thus allows invocation with arbitrary
parameters while the latter "iptables" rule merely allows one specific
set of arguments which must appear exactly in the given order.
ubus call session grant '{
"ubus_rpc_session": "...",
"scope": "cgi-io",
"objects": [
[ "exec", "read" ]
]
}'
ubus call session grant '{
"ubus_rpc_session": "...",
"scope": "file",
"objects": [
[ "/bin/date", "exec" ],
[ "/usr/sbin/iptables -n -v -L", "exec" ]
]
}'
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- IPv6 support
- Fix HTTP/2 negociation
- Improve endpoint fallback
- Add support for unencrypted DNS
- Many other fixes and features
Signed-off-by: Olivier Poitrey <rs@nextdns.io>
When present on the build system dnsdist will try to make use of libcap. This
change adds an explicit dependency to ensure it's present at build time, to
prevent build failures when another package brings the dependency in.
Signed-off-by: James Taylor <james@jtaylor.id.au>
* remove 'ransomware' blocklist by abbuse.ch (discontinued)
from default adblock config
* fix/switch 'someonewhocares' config to https only
* fix curl download parameters to follow redirects and
suppress needless output
* made the tmp directory of sort operations configurable,
set 'adb_sorttmp' accordingly (only supported by 'coreutils-sort')
Signed-off-by: Dirk Brenken <dev@brenken.org>
This new release also installs additional 'shared utils' loadable
libraries in /usr/lib/ModemManager, so make sure we include them in
the packaging.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Update dnsdist to next major release 1.4.0. This release introduces
dependencies on libh2o-evloop and libwslay for support of DNS over
HTTPS.
Release Blog Post: https://blog.powerdns.com/2019/11/20/dnsdist-1-4-0/
Changelog: https://dnsdist.org/changelog.html#change-1.4.0
Also removes compatibility patches required for previous release that have
been incorporated upstream.
Signed-off-by: James Taylor <james@jtaylor.id.au>