Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2025-12-24 12:48:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #340 from pi-hole/fix/leaked-token

Browse Source 
Only show token when authorized and sanitize list action output
This commit is contained in:
DL6ER
2017-01-07 20:15:12 +01:00
committed by GitHub
parent 9ff6561e71 ed496afc1e
commit c32b3c2925
1 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
scripts/pi-hole/php/header.php
View File

@@ -83,15 +83,16 @@
$memory_usage = -1;
}
if($auth) {
// For session timer
$maxlifetime = ini_get("session.gc_maxlifetime");
// For session timer
$maxlifetime = ini_get("session.gc_maxlifetime");
// Generate CSRF token
if(empty($_SESSION['token'])) {
$_SESSION['token'] = base64_encode(openssl_random_pseudo_bytes(32));
// Generate CSRF token
if(empty($_SESSION['token'])) {
$_SESSION['token'] = base64_encode(openssl_random_pseudo_bytes(32));
}
$token = $_SESSION['token'];
}
$token = $_SESSION['token'];
if(isset($setupVars['WEBUIBOXEDLAYOUT']))
{
@@ -171,7 +172,7 @@
<!-- /JS Warning -->
<script src="scripts/pi-hole/js/header.js"></script>
<!-- Send token to JS -->
<div id="token" hidden><?php echo $token ?></div>
<div id="token" hidden><?php if($auth) echo $token; ?></div>
<div class="wrapper">
<header class="main-header">
<!-- Logo -->