Use comma-separated list of type integers instead of byte-coded integer.

Signed-off-by: DL6ER <dl6er@dl6er.de>
2025-12-24 04:38:28 +00:00 · 2018-08-30 15:02:33 +02:00
parent 2d1aae3078
commit d2ecf1c70a
2 changed files with 20 additions and 54 deletions
--- a/api_db.php
+++ b/api_db.php
@@ -104,55 +104,20 @@ if (isset($_GET['getAllQueries']) && $auth)
 		$dbquery = "SELECT timestamp, type, domain, client, status FROM queries WHERE timestamp >= :from AND timestamp <= :until ";
 		if(isset($_GET["types"]))
 		{
-			$types = intval($_GET["types"]);
-			$typestr = "";
-			if($types & 1) // GRAVITY
+			$types = $_GET["types"];
+			if(preg_match("/^[0-9]+(?:,[0-9]+)*$/", $types) === 1)
 			{
-				$typestr = "1";
+				// Append selector to DB query. The used regex ensures
+				// that only numbers, separated by commas are accepted
+				// to avoid code injection and other malicious things
+				// We accept only valid lists like "1,2,3"
+				// We reject ",2,3", "1,2," and similar arguments
+				$dbquery .= "AND status IN (".$types.") ";
 			}
-			if($types & 2) // FORWARDED
+			else
 			{
-				if(strlen($typestr) > 0)
-				{
-					$typestr .= ",";
-				}
-				$typestr .= "2";
+				die("Error. Selector types specified using an invalid format.");
 			}
-			if($types & 4) // CACHED
-			{
-				if(strlen($typestr) > 0)
-				{
-					$typestr .= ",";
-				}
-				$typestr .= "3";
-			}
-			if($types & 8) // REGEX/WILDCARD
-			{
-				if(strlen($typestr) > 0)
-				{
-					$typestr .= ",";
-				}
-				$typestr .= "4";
-			}
-			if($types & 16) // BLACKLIST
-			{
-				if(strlen($typestr) > 0)
-				{
-					$typestr .= ",";
-				}
-				$typestr .= "5";
-			}
-			if($types & 32) // EXTERNAL
-			{
-				if(strlen($typestr) > 0)
-				{
-					$typestr .= ",";
-				}
-				$typestr .= "6";
-			}
-
-			// Append selector to DB query
-			$dbquery .= "AND status IN (".$typestr.") ";
 		}
 		$dbquery .= "ORDER BY timestamp ASC";
 		$stmt = $db->prepare($dbquery);
--- a/scripts/pi-hole/js/db_queries.js
+++ b/scripts/pi-hole/js/db_queries.js
@@ -143,32 +143,32 @@ function handleAjaxError( xhr, textStatus, error ) {

 function getQueryTypes()
 {
-    var queryType = 0;
+    var queryType = [];
    if($("#type_gravity").prop("checked"))
    {
-        queryType = 1;
+        queryType.push(1);
    }
    if($("#type_forwarded").prop("checked"))
    {
-        queryType += 1 << 1;
+        queryType.push(2);
    }
    if($("#type_cached").prop("checked"))
    {
-        queryType += 1 << 2;
+        queryType.push(3);
    }
    if($("#type_regex").prop("checked"))
    {
-        queryType += 1 << 3;
+        queryType.push(4);
    }
    if($("#type_blacklist").prop("checked"))
    {
-        queryType += 1 << 4;
+        queryType.push(5);
    }
    if($("#type_external").prop("checked"))
    {
-        queryType += 1 << 5;
+        queryType.push(6);
    }
-    return queryType;
+    return queryType.join(",");
 }

 var reloadCallback = function()
@@ -208,8 +208,9 @@ function refreshTableData() {
    var APIstring = "api_db.php?getAllQueries&from="+from+"&until="+until;
    // Check if query type filtering is enabled
    var queryType = getQueryTypes();
-    if(queryType !== 63) // 63 (0b00111111) = all possible query types are selected
+    if(queryType !== "1,2,3,4,5,6")
    {
+        console.log(queryType);
        APIstring += "&types="+queryType;
    }
    statistics = [0,0,0];