Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2025-12-24 20:55:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Modifications to support core queryFunc() changes

Browse Source 
* Set pcre.recursion_limit, 3x the limit necessary to process a valid 253 character domain name
* Updated validate_domain() to include underscore as a valid character within a domain 
* Run escapeshellarg() on `pihole -q` command in the unlikely event that a maliciously crafted domain query is able to pass validate_domain()
* Known issues: Changes to the output of this file and Pi-hole core's queryFunc() results in `queryads.js` failing to work (Thereby breaking Tools > Query adlists)
This commit is contained in:
WaLLy3K
2017-05-02 10:47:02 +10:00
committed by GitHub
parent 91a8622aec
commit ab126d94e0
1 changed files with 18 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
scripts/pi-hole/php/queryads.php
View File

@@ -9,52 +9,31 @@
ob_end_flush();
ini_set("output_buffering", "0");
ob_implicit_flush(true);
header('Content-Type: text/event-stream');
header('Cache-Control: no-cache');
header("Content-Type: text/event-stream");
header("Cache-Control: no-cache");
ini_set("pcre.recursion_limit", 1500);
function echoEvent($datatext) {
if(!isset($_GET["IE"]))
echo "data: ".implode("\ndata: ", explode("\n", $datatext))."\n\n";
else
echo $datatext;
function validate_domain($domain) { // Cr: http://stackoverflow.com/a/4694816
return (preg_match("/^([a-z\d]((-|_)*[a-z\d])*)(\.([a-z\d]((-|_)*[a-z\d])*))*$/i", $domain) // Valid chars check
&& preg_match("/^.{1,253}$/", $domain) // Overall length check
&& preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $domain)); // Length of each label
}
// Credit: http://stackoverflow.com/a/4694816/2087442
function is_valid_domain_name($domain_name)
{
return (preg_match("/^([a-z\d](-*[a-z\d])*)(\.([a-z\d](-*[a-z\d])*))*$/i", $domain_name) //valid chars check
&& preg_match("/^.{1,253}$/", $domain_name) //overall length check
&& preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $domain_name) ); //length of each label
}
// Test if domain is set
if(isset($_GET["domain"]))
{
// Is this a valid domain?
$url = $_GET["domain"];
if(!is_valid_domain_name($url))
{
echoEvent("Invalid domain!");
die();
// Validate domain, if set
if(isset($_GET["domain"])) {
if(validate_domain($_GET["domain"])) {
$domain = $_GET["domain"];
} else {
die("::: Invalid domain");
}
}
else
{
echoEvent("No domain provided");
die();
} else {
die("::: Domain query not specified");
}
if(isset($_GET["exact"]))
{
$exact = "-exact";
}
else
{
$exact = "";
}
$exact = isset($_GET["exact"]) ? "-exact" : "";
$proc = popen("sudo pihole -q ".$url." ".$exact, 'r');
$proc = popen("sudo pihole -q ".escapeshellarg($domain)." $exact", "r");
while (!feof($proc)) {
echoEvent(fread($proc, 4096));
echo fread($proc, 4096);
}
?>