firmware: allow to display changelogs; closes #341

There's more we can do with this, but let this sink in for a bit. The main goal was to provide all changelogs, signed and verified, to be resilient against phishing attacks on mirrors or MITM means.
2026-03-17 18:14:42 +00:00 · 2016-11-11 09:54:44 +01:00 · 2016-11-11 09:54:44 +01:00 · 53b0356614
commit 53b0356614
parent 003cc55e5d
2 changed files with 56 additions and 2 deletions
--- a/src/opnsense/mvc/app/controllers/OPNsense/Core/Api/FirmwareController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Core/Api/FirmwareController.php
@ -111,6 +111,32 @@ class FirmwareController extends ApiControllerBase
        return $response;
    }

+    /**
+     * Retrieve specific changelog in text and html format
+     * @param string $version changelog to retrieve
+     * @return array correspondng changelog in both formats
+     * @throws \Exception
+     */
+    public function changelogAction($version)
+    {
+        $this->sessionClose(); // long running action, close session
+        $backend = new Backend();
+        $response = array();
+
+        if ($this->request->isPost()) {
+            // sanitize package name
+            $filter = new \Phalcon\Filter();
+            $filter->add('version', function ($value) {
+                return preg_replace('/[^0-9a-zA-Z\.]/', '', $value);
+            });
+            $version = $filter->sanitize($version, 'version');
+            $response['text'] = trim($backend->configdRun(sprintf('firmware changelog text %s', $version)));
+            $response['html'] = trim($backend->configdRun(sprintf('firmware changelog html %s', $version)));
+        }
+
+        return $response;
+    }
+
    /**
     * perform reboot
     * @return array status
--- a/src/opnsense/mvc/app/views/OPNsense/Core/firmware.volt
+++ b/src/opnsense/mvc/app/views/OPNsense/Core/firmware.volt
@ -95,6 +95,29 @@ POSSIBILITY OF SUCH DAMAGE.
        });
    }

+    /**
+     * read changelog from backend
+     */
+    function changelog(version)
+    {
+        ajaxCall('/api/core/firmware/changelog/' + version, {}, function (data, status) {
+            if (data['html'] != undefined) {
+                BootstrapDialog.show({
+                    type:BootstrapDialog.TYPE_PRIMARY,
+                    title: version,
+                    /* we trust this data, it was signed by us and secured by csrf */
+                    message: htmlDecode(data['html']),
+                    buttons: [{
+                        label: "{{ lang._('Close') }}",
+                        action: function(dialogRef){
+                            dialogRef.close();
+                        }
+                    }]
+                });
+            }
+        });
+    }
+
    /**
     * perform package action, install poller to update status
     */
@ -131,7 +154,6 @@ POSSIBILITY OF SUCH DAMAGE.
                        dialogRef.close();
                    }
                }]
-
            });
        } else {
            upgrade();
@ -274,7 +296,9 @@ POSSIBILITY OF SUCH DAMAGE.
                $('#changeloglist').append(
                    '<tr><td>' + row['version'] + '</td>' +
                    '<td>' + row['date'] + '</td>' +
-                    '<td>not yet</td></tr>'
+                    '<td><button class="btn btn-default btn-xs act_changelog" data-version="' + row['version'] + '" ' +
+                    'data-toggle="tooltip" title="View ' + row['version'] + '">' +
+                    '<span class="fa fa-book"></span></button></td></tr>'
                );
            });

@ -305,6 +329,10 @@ POSSIBILITY OF SUCH DAMAGE.
                event.preventDefault();
                action('install', $(this).data('package'));
            });
+            $(".act_changelog").click(function(event) {
+                event.preventDefault();
+                changelog($(this).data('version'));
+            });
            // attach tooltip to generated buttons
            $('[data-toggle="tooltip"]').tooltip();
        });