From 8c0f7853519cd9747cc5c8dff26f9d0099943cf7 Mon Sep 17 00:00:00 2001
From: RD WebDesign <github@rdwebdesign.com.br>
Date: Sun, 13 Jul 2025 02:55:19 -0300
Subject: [PATCH] Replace `mg.request_info.request_uri` with the variable
 `scriptname`

The information from `mg.request_info.request_uri` depends on the URL typed
by the user. This information was used without any sanitization, allowing
an attacker to send crafted links containing anything, including javascript
code, which could be loaded and executed in a few pages.

Replacing this value with `scriptname` variable fixes the issue, since this
variable contains the name of the file currently being executed. This
information cannot be externally manipulated and it is safe to be used on
the page.

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
---
 error403.lp                         | 2 +-
 error404.lp                         | 2 +-
 login.lp                            | 2 +-
 scripts/lua/header_authenticated.lp | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/error403.lp b/error403.lp
index eb28cb64..f777938a 100644
--- a/error403.lp
+++ b/error403.lp
@@ -10,7 +10,7 @@
 mg.include('scripts/lua/header.lp','r')
 ?>
 </head>
-<body class="hold-transition layout-boxed login-page page-<?=pihole.format_path(mg.request_info.request_uri)?>">
+<body class="hold-transition layout-boxed login-page page-<?=pihole.format_path(scriptname)?>">
     <div class="box login-box">
         <section style="padding: 15px;">
                 <h2 class="error-headline text-danger">403</h2>
diff --git a/error404.lp b/error404.lp
index ec6560e4..db032d50 100644
--- a/error404.lp
+++ b/error404.lp
@@ -10,7 +10,7 @@
 mg.include('scripts/lua/header.lp','r')
 ?>
 </head>
-<body class="hold-transition layout-boxed login-page page-<?=pihole.format_path(mg.request_info.request_uri)?>">
+<body class="hold-transition layout-boxed login-page page-<?=pihole.format_path(scriptname)?>">
     <div class="box login-box">
         <section style="padding: 15px;">
                 <h2 class="error-headline text-yellow">404</h2>
diff --git a/login.lp b/login.lp
index 680ef99e..5816082f 100644
--- a/login.lp
+++ b/login.lp
@@ -10,7 +10,7 @@
 mg.include('scripts/lua/header.lp','r')
 ?>
 </head>
-<body class="hold-transition layout-boxed login-page page-<?=pihole.format_path(mg.request_info.request_uri)?>" data-apiurl="<?=pihole.api_url()?>" data-webhome="<?=webhome?>">
+<body class="hold-transition layout-boxed login-page page-<?=pihole.format_path(scriptname)?>" data-apiurl="<?=pihole.api_url()?>" data-webhome="<?=webhome?>">
 <div class="box login-box" id="login-box">
     <section style="padding: 15px;">
         <div class="login-logo">
diff --git a/scripts/lua/header_authenticated.lp b/scripts/lua/header_authenticated.lp
index 609d7420..c544cf7a 100644
--- a/scripts/lua/header_authenticated.lp
+++ b/scripts/lua/header_authenticated.lp
@@ -24,7 +24,7 @@ mg.include('header.lp','r')
     <script src="<?=pihole.fileversion('vendor/waitMe-js/modernized-waitme-min.js')?>"></script>
     <script src="<?=pihole.fileversion('scripts/js/logout.js')?>"></script>
 </head>
-<body class="<?=theme.name?> hold-transition sidebar-mini <? if pihole.boxedlayout() then ?>layout-boxed<? end ?> logged-in page-<?=pihole.format_path(mg.request_info.request_uri)?>" data-apiurl="<?=pihole.api_url()?>" data-webhome="<?=webhome?>">
+<body class="<?=theme.name?> hold-transition sidebar-mini <? if pihole.boxedlayout() then ?>layout-boxed<? end ?> logged-in page-<?=pihole.format_path(scriptname)?>" data-apiurl="<?=pihole.api_url()?>" data-webhome="<?=webhome?>">
 <noscript>
     <!-- JS Warning -->
     <div>