Giter VIP home page Giter VIP logo

commotion-feed's Introduction

alt tag commotion-feed

Feed of Commotion components to be pulled in by Commotion-Router (https://github.com/opentechinstitute/commotion-router). This repository is not meant to be used directly, but rather just contains packaging information that is pulled in by the OpenWRT buildsystem on which Commotion-Router is built.

Commotion-Feed's packages directory contains Makefiles for each Commotion package, but source code for those packages is stored in their respective repositories.

commotion-feed's People

Contributors

dismantl avatar gradyoti avatar hawkinswnaf avatar jheretic avatar natmey avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

commotion-feed's Issues

Serval route signing key in olsr-mdp is static

FINDING ID: iSEC-COMMO13-10

TARGETS: The Serval route signing key.

DESCRIPTION: The Serval route signing key is static across all Commotion instances. This provides no security, as anyone with the key can publish signed routes that all other routers will accept. The key can either be extracted from the firmware or downloaded on GitHub to be later leveraged by attackers.

Additionally, iSEC is unaware of a method within the web interface to change or rotate these keys.

EXPLOIT SCENARIO: An attacker joins the backhaul wireless mesh network by brute forcing WEP. The attacker generates malicious OLSR route advertisements and signs them with the known secret key. The routers will identify the signature as valid and update their routing tables accordingly, allowing the malicious user to redirect traffic as he sees fit.

SHORT TERM SOLUTION: Several options:

  • Allow a device administrator to change the key
  • Use a key derivation function (KDF) 7 based on the network key

LONG TERM SOLUTION: Handling secure key generation and distribution is a difficult problem with both technical and UI/UX challenges. Consider policies related to the security level of the router as described in commotion-openwrt issue 23

Fatal build error in luci-i18n-commotion

The po2lmo utility is causing fatal build errors again.

svn co http://svn.luci.subsignal.org/luci/branches/luci-0.11/modules/base/ /mnt/build_tree_2/commotion-router/openwrt/build_dir/target-mips_r2_uClibc-0.9.33.2/luci-i18n-commotion-master/po2lmo/.
svn: URL 'http://svn.luci.subsignal.org/luci/branches/luci-0.11/modules/base' doesn't exist

See 5e9012c and 2260c95 for previous fixes.

Allow adding hostnames to olsrd's nameservice plugin

Currently, due to input validation in olsrd's init script, there is no way to add IP/hostname pairs to the nameservice plugin. The format olsrd expects in its config file for IP/hostname entries is:

PlParam "1.2.3.4" "nodename"

Olsrd's init script turns /etc/config/olsrd UCI entries into the olsrd config file. So for IP/hostname pairs, the option name (the IP address) would contain periods, which is disallowed in UCI.

To solve this issue, we would need to add logic to the olsrd init script to convert some new option, like hostname for instance, into the right format for the olsrd config file. So as an example, the following line in /etc/config/olsrd:

option hostname "1.2.3.4/nodename"

would be converted into:

PlParam "1.2.3.4" "nodename"

in the generated olsrd config file, /var/run/olsrd.conf.

Update serval-dna and serval-crypto Makefiles

The serval-dna and serval-crypto Makefiles need to be updated to build against the commotion-wireless git branch of upstream Serval, rather than the 0.9 or 0.91 batphone release tarballs, and tested to make sure that they build correctly. This is the implementation of the fix for #19

Update olsrd version

It is currently pinned to the commotion-0.2 tag, but we've since made updates to the olsrd repo.

luci-commotion-apps does not install assets properly

Since the repo merge, luci-commotion-apps fails to install images, stylesheets, and javascript properly. The package assets are available in buildroot's staging directory and are actually available in /www/luci-commotion/apps/, but are not listed by opkg files luci-commotion-apps. The files should be installed in /www/luci-static/commotion/.

This is the list of files installed on the router:
/usr/lib/lua/luci/controller/commotion/apps_controller.lua
/usr/lib/lua/luci/view/commotion/apps_view.htm
/usr/lib/lua/luci/model/cbi/commotion/app_settings.lua
/usr/lib/lua/luci/view/themes/commotion/apps_apps.htm
/usr/lib/lua/luci/view/commotion/apps_settings.htm
/usr/lib/lua/luci/view/commotion/apps_display.htm
/usr/lib/lua/luci/view/themes/commotion/apps_categories.htm
/usr/lib/lua/luci/view/commotion/apps_form.htm
/usr/lib/lua/luci/view/commotion/apps_admin_display.htm

This is the full list of files that should be installed:
/www/luci-static/commotion/code.png
/www/luci-static/commotion/equals.png
/www/luci-static/commotion/radio.png
/www/luci-static/commotion/apps_form.js
/www/luci-static/commotion/chat.png
/www/luci-static/commotion/audio.png
/www/luci-static/commotion/apps.js
/usr/lib/lua/luci/controller/commotion/apps_controller.lua
/usr/lib/lua/luci/view/commotion/apps_view.htm
/www/luci-static/commotion/x.png
/usr/lib/lua/luci/model/cbi/commotion/app_settings.lua
/usr/lib/lua/luci/view/themes/commotion/apps_apps.htm
/usr/lib/lua/luci/view/commotion/apps_settings.htm
/www/luci-static/commotion/write.png
/www/luci-static/commotion/email.png
/www/luci-static/commotion/commotion-faded2.png
/www/luci-static/commotion/calendar.png
/www/luci-static/commotion/internet.png
/usr/lib/lua/luci/view/commotion/apps_display.htm
/usr/lib/lua/luci/view/themes/commotion/apps_categories.htm
/www/luci-static/commotion/check.png
/www/luci-static/commotion/commotion-faded.png
/www/luci-static/commotion/downloads.png
/usr/lib/lua/luci/view/commotion/apps_form.htm
/www/luci-static/commotion/apps.css
/www/luci-static/commotion/bann.png
/www/luci-static/commotion/admin_apps.js
/www/luci-static/commotion/photo.png
/www/luci-static/commotion/patternizer.min.js
/usr/lib/lua/luci/view/commotion/apps_admin_display.htm

Logic establishing thisnode alias as a replacement for 192.168.1.20 is incomplete

The logic responsible for establishing the thisnode alias, which resides in openwrt/files/etc/hotplug.d/iface/90-thisnode, only sets up the alias if an ap interface is active. As a result, the current logic does not create the thisnode alias before quickstart has been run, which makes the node setup process considerably more complicated for a non-technical user. Additionally, there are several hard-coded references to 192.168.1.20 in various places in the build tree, which become invalid when the 192.168.1.20 alias is removed:

openwrt/files/etc/nodogsplash/nodogsplash.conf:FirewallRule allow to 192.168.1.20
openwrt/feeds/packages/net/haproxy/files/haproxy.cfg: server server02 192.168.1.20:80 source 192.168.1.1
openwrt/feeds/packages/net/haproxy/files/haproxy.cfg: server server02 192.168.1.20:123 source 192.168.1.1:25
openwrt/feeds/packages/net/ucarp/files/ucarp.conf:MYIP=192.168.1.20
openwrt/staging_dir/target-mips_r2_uClibc-0.9.33.2/root-ar71xx/etc/uci-defaults/commotiond:echo '192.168.1.20 thisnode' >> /etc/hosts
openwrt/staging_dir/target-mips_r2_uClibc-0.9.33.2/root-ar71xx/usr/lib/lua/luci/controller/commotion-splash/splash.lua: FirewallRule allow to 192.168.1.20

SQL Injection in rhizome http service

The HTTP URL-Parameters are not sanitized in the when /rhizome/manifestbyprefix/ rhizome_http.c are requested.

Since SQLite is used as a DBMS, no grave security impact could be found in the context of this service. A cause for concern would arise if another DBMS was to be used, as it could lead to a potential command execution with the INTO OUTFILE statements. For this reason, the SQL parameters should be sanitized regardless of which DBMS is chosen, as a change may result in injections leading to information leakages.

Originally reported as WRT-01-005

Serval-DNA build script assumes build tree is a git repo

This bug affects users who download a commotion-openwrt tar archive instead of cloning the commotion-openwrt git repo. Submit upstream patch if necessary.

(Was Bug 624 on code.commotionwireless.net)

This issue is in follow-up to #622 that was marked resolved yesterday.

The problem is that Commotion-OpenWRT build will fail with the following error if no level in serval-dna-batphone's path inside the build tree is a git repo:

make[4]: Entering directory /blah/blah/commotion-openwrt/openwrt/build_dir/target-mips_uClibc-0.9.33.2/serval-dna-batphone-release-0.91' LINK servald fatal: Not a git repository (or any of the parent directories): .git make[4]: *** [servald] Error 128 make[4]: Leaving directory/blah/blah/commotion-openwrt/openwrt/build_dir/target-mips_uClibc-0.9.33.2/serval-dna-batphone-release-0.91'
make[3]: *** [/blah/blah/commotion-openwrt/openwrt/build_dir/target-mips_uClibc-0.9.33.2/serval-dna-batphone-release-0.91/.built] Error 2
make[3]: Leaving directory /blah/blah/commotion-openwrt/openwrt/feeds/commotion/packages/serval-dna' make[2]: *** [package/feeds/commotion/serval-dna/compile] Error 2 make[2]: Leaving directory/blah/blah/commotion-openwrt/openwrt'
make[1]: *** [/blah/blah/commotion-openwrt/openwrt/staging_dir/target-mips_uClibc-0.9.33.2/stamp/.package_compile] Error 2
make[1]: Leaving directory `/blah/blah/commotion-openwrt/openwrt'
make: *** [world] Error 2

This error occurs because /blah/blah/commotion-openwrt/openwrt/build_dir/target-mips_uClibc-0.9.33.2/serval-dna-batphone-release-0.91/Makefile runs the script version_string.sh in the same directory to generate a string representing the current revision.

This works for instances where the Commoption-OpenWRT codebase is itself cloned from github, as version_string.sh will then return "DR2", but really this approach is only working by coincidence. version_string.sh is likely expecting to retrieve the current git revision for serval-dna, and not for an unrelated repo in a higher up directory.

A possible resolution is to add a patch commotion/packages/serval-dna/patches to alter version_string.sh so that it doesn't expect a git repo in its current directory.

commotion-gui package depends on non-existent package luci-i18n-commotion

luci-i18n-commotion was split into separate packages for each language in 3ea7112. The commotion-gui package still depends on the old name, luci-i18n-commotion, and gets excluded by make menuconfig for the missing dependency.

tmp/.config-package.in:46271:warning: 'select' used by config symbol 'PACKAGE_commotion-gui' refer to undefined symbol 'PACKAGE_luci-i18n-commotion'

This causes various other packages to not build properly (namely commotion-splash) without some manual intervention.

I am not an expert in the openwrt build system, but to fix it for my own purposes I just removed the dependency from commotion-gui and everything was fine again.

I am using the 1.1 branch, but I believe this problem still exists in master.

luci-i18n-commotion build fails on 1.1 branch

luci is no longer available from svn.luci.subsignal.org, so the package does not properly build anymore.

This was already fixed on master in #63.

Could this patch be merged into the 1.1 branch?

Role our own wpad-mini package with IBSS-RSN and test to make sure it works.

We can save some space by using wpad-mini (as is the default usually in OpenWRT) rather than wpad. The only reason we don't is because wpad-mini is not compiled with support for IBSS-RSN. However if it works to just add a compile-time option, we could save a good 500K or so, as we don't need all of the WPA-Enterprise stuff that is included in wpad.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.