Implement CSRF token for list editing

2026-04-26 11:50:09 +01:00 · 2016-05-02 20:33:29 -04:00
parent d4838fea8c
commit 283f4b7978
3 changed files with 31 additions and 12 deletions
--- a/php/add.php
+++ b/php/add.php
@@ -1,12 +1,18 @@
 <?php
-if(!isset($_GET['domain'], $_GET['list']))
+if(!isset($_POST['domain'], $_POST['list'], $_POST['token']))
    die();

-switch($_GET['list']) {
+session_start();
+
+// Check CSRF token
+if(!hash_equals($_SESSION['token'], $_POST['token']))
+    die("Wrong token!");
+
+switch($_POST['list']) {
    case "white":
-        exec("sudo pihole -w -q ${_GET['domain']}");
+        exec("sudo pihole -w -q ${_POST['domain']}");
        break;
    case "black":
-        exec("sudo pihole -b -q ${_GET['domain']}");
+        exec("sudo pihole -b -q ${_POST['domain']}");
        break;
 }