From 4d9d9dc949be177099c0e6a9eebf83c24f78bb93 Mon Sep 17 00:00:00 2001 From: Mcat12 Date: Sun, 2 Apr 2017 19:23:03 -0400 Subject: [PATCH] Require CSRF token for debug log generation --- scripts/pi-hole/js/debug.js | 7 ++++--- scripts/pi-hole/php/debug.php | 12 ++++++++++++ 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/scripts/pi-hole/js/debug.js b/scripts/pi-hole/js/debug.js index c0db2ce0..0a6b3ab1 100644 --- a/scripts/pi-hole/js/debug.js +++ b/scripts/pi-hole/js/debug.js @@ -29,20 +29,21 @@ function eventsource() { var ta = $("#output"); var upload = $( "#upload" ); var checked = ""; + var token = encodeURIComponent($("#token").html()); if(upload.prop("checked")) { - checked = "upload"; + checked = "upload"; } // IE does not support EventSource - load whole content at once if (typeof EventSource !== "function") { - httpGet(ta,"/admin/scripts/pi-hole/php/debug.php?IE&"+checked); + httpGet(ta,"/admin/scripts/pi-hole/php/debug.php?IE&token="+token+"&"+checked); return; } var host = window.location.host; - var source = new EventSource("/admin/scripts/pi-hole/php/debug.php?"+checked); + var source = new EventSource("/admin/scripts/pi-hole/php/debug.php?&token="+token+"&"+checked); // Reset and show field ta.empty(); diff --git a/scripts/pi-hole/php/debug.php b/scripts/pi-hole/php/debug.php index 93ae3166..39d5c8ea 100644 --- a/scripts/pi-hole/php/debug.php +++ b/scripts/pi-hole/php/debug.php @@ -5,6 +5,18 @@ ob_implicit_flush(true); header('Content-Type: text/event-stream'); header('Cache-Control: no-cache'); +require "password.php"; +require "auth.php"; + +if(!$auth) { + die("Unauthorized"); +} + +check_cors(); + +$token = isset($_GET["token"]) ? $_GET["token"] : ""; +check_csrf($token); + function echoEvent($datatext) { if(!isset($_GET["IE"])) echo "data: ".implode("\ndata: ", explode("\n", $datatext))."\n\n";