Pi-Hole/PADD
1
0
Fork 0
mirror of https://github.com/pi-hole/PADD.git synced 2026-04-02 00:18:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Prevent password leakage via curl process information (#496)

Browse Source
This commit is contained in:
yubiuser
2026-03-21 20:50:03 +01:00
committed by GitHub
parent 5cfb88ce2f 2b63af4b13
commit 2fabe3529b
1 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
padd.sh
View File

@@ -274,7 +274,13 @@ DeleteSession() {
# SID is not null (successful authenthication only), delete the session
if [ "${validSession}" = true ] && [ "${SID}" != null ]; then
# Try to delete the session. Omit the output, but get the http status code
deleteResponse=$(curl --connect-timeout 2 -skS -o /dev/null -w "%{http_code}" -X DELETE "${API_URL}auth" -H "Accept: application/json" -H "sid: ${SID}")
# SID is passed via stdin config (-K -) to prevent leakage via process information
deleteResponse=$(curl --connect-timeout 2 -skS -o /dev/null -w "%{http_code}" -X DELETE "${API_URL}auth" \
-H "Accept: application/json" \
-K - <<EOF
header = "sid: ${SID}"
EOF
)
printf "\n\n"
case "${deleteResponse}" in
@@ -289,7 +295,14 @@ DeleteSession() {
}
Authenticate() {
sessionResponse="$(curl --connect-timeout 2 -skS -X POST "${API_URL}auth" --user-agent "PADD ${padd_version}" --data "{\"password\":\"${password}\", \"totp\":${totp:-null}}" )"
# password and totp are passed via stdin as binary-data to prevent leakage via process information
sessionResponse="$(curl --connect-timeout 2 -skS -X POST "${API_URL}auth" \
--user-agent "PADD ${padd_version}" \
-H "Content-Type: application/json" \
--data-binary @- <<EOF
{"password":"${password}", "totp":${totp:-null}}
EOF
)"
if [ -z "${sessionResponse}" ]; then
moveXOffset; echo "No response from FTL server. Please check connectivity and use the options to set the API URL"
@@ -311,7 +324,13 @@ GetFTLData() {
local status
# get the data from querying the API as well as the http status code, include delimiter for ease in splitting payload
response=$(curl --connect-timeout 2 -sk -w ">>%{http_code}" -X GET "${API_URL}$1$2" -H "Accept: application/json" -H "sid: ${SID}" )
# SID is passed via stdin config (-K -) to prevent leakage via process information
response=$(curl --connect-timeout 2 -sk -w ">>%{http_code}" -X GET "${API_URL}$1$2" \
-H "Accept: application/json" \
-K - <<EOF
header = "sid: ${SID}"
EOF
)
# status is the response http_code, eg. 200, 401.
# Shell parameter expansion, remove everything up to and including the >> delim