Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2026-04-23 18:29:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Prevent potential execution of arbitary code through the PIHOLE_DOCKER_TAG variable and AUTHORIZED_HOSTNAMES

Browse Source 
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
This commit is contained in:
Adam Warner
2022-02-11 23:21:04 +00:00
parent bb4cafcb7c
commit d0ceca674d
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
scripts/pi-hole/php/auth.php
View File

@@ -73,7 +73,7 @@ function check_cors() {
$server_host = str_replace(array("[","]"), array("",""), $server_host);
if(isset($_SERVER['HTTP_HOST']) && !in_array($server_host, $AUTHORIZED_HOSTNAMES)) {
log_and_die("Failed Host Check: " . $server_host .' vs '. join(', ', $AUTHORIZED_HOSTNAMES));
log_and_die("Failed Host Check: " . $server_host .' vs '. htmlspecialchars(join(', ', $AUTHORIZED_HOSTNAMES)));
}
if(isset($_SERVER['HTTP_ORIGIN'])) {
@@ -88,7 +88,7 @@ function check_cors() {
$server_origin = str_replace(array("[","]","http://","https://"), array("","","",""), $server_origin);
if(!in_array($server_origin, $AUTHORIZED_HOSTNAMES)) {
log_and_die("Failed CORS: " . htmlspecialchars($server_origin) .' vs '. join(', ', $AUTHORIZED_HOSTNAMES));
log_and_die("Failed CORS: " . htmlspecialchars($server_origin) .' vs '. htmlspecialchars(join(', ', $AUTHORIZED_HOSTNAMES)));
}
header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
}