From d2fcc36341d70ad246cc07603cf997ffc44eed2d Mon Sep 17 00:00:00 2001
From: Mcat12 <newtoncat12@yahoo.com>
Date: Mon, 7 Nov 2016 21:10:36 -0500
Subject: [PATCH] Require CORS check on all admin pages

This is mainly added so that an ad can't enable/disable the Pi-hole
by simply loading a url like `http://pi.hole/admin/index.php?disable`
---
 header.php   |  17 +++++----
 php/add.php  |   8 ++++
 php/auth.php | 106 ++++++++++++++++++++++++++++-----------------------
 php/sub.php  |   8 ++++
 4 files changed, 84 insertions(+), 55 deletions(-)

diff --git a/header.php b/header.php
index bc31aa9e..3c8d9339 100644
--- a/header.php
+++ b/header.php
@@ -1,12 +1,15 @@
 <?php
+    require "php/auth.php";
+    check_cors();
     if (isset($_GET['enable'])) {
-      exec('sudo pihole enable');
-      $refer = $_SERVER['HTTP_REFERER'];
-      header("location:$refer");
-    } elseif (isset($_GET['disable'])) {
-      exec('sudo pihole disable');
-      $refer = $_SERVER['HTTP_REFERER'];
-      header("location:$refer");
+        exec('sudo pihole enable');
+        $refer = $_SERVER['HTTP_REFERER'];
+        header("location:$refer");
+    }
+    elseif (isset($_GET['disable'])) {
+        exec('sudo pihole disable');
+        $refer = $_SERVER['HTTP_REFERER'];
+        header("location:$refer");
     }
     $cmd = "echo $((`cat /sys/class/thermal/thermal_zone0/temp | cut -c1-2`))";
     $output = shell_exec($cmd);
diff --git a/php/add.php b/php/add.php
index ae7da1a1..dbd3e3c7 100644
--- a/php/add.php
+++ b/php/add.php
@@ -1,6 +1,14 @@
 <?php
 require('auth.php');
 
+if(!isset($_POST['domain'], $_POST['list'], $_POST['token'])) {
+    log_and_die("Missing POST variables");
+}
+
+check_cors();
+check_csrf();
+check_domain();
+
 switch($_POST['list']) {
     case "white":
         echo exec("sudo pihole -w -q ${_POST['domain']}");
diff --git a/php/auth.php b/php/auth.php
index 55e5e58d..850eb0e3 100644
--- a/php/auth.php
+++ b/php/auth.php
@@ -14,67 +14,77 @@ function log_and_die($message) {
     die($message);
 }
 
-if(!isset($_POST['domain'], $_POST['list'], $_POST['token'])) {
-    log_and_die("Missing POST variables");
-}
+function check_cors() {
+    // Check CORS
+    $AUTHORIZED_HOSTNAMES = array(
+        'http://' . $_SERVER['SERVER_ADDR'],
+        'http://pi.hole',
+        'http://localhost'
+    );
 
-$AUTHORIZED_HOSTNAMES = array(
-    'http://' . $_SERVER['SERVER_ADDR'],
-    'http://pi.hole',
-    'http://localhost'
-);
+    # Allow user set virtual hostnames
+    $virtual_host = getenv('VIRTUAL_HOST');
+    if (! empty($virtual_host))
+        array_push($AUTHORIZED_HOSTNAMES, 'http://' . $virtual_host);
 
-# Allow user set virtual hostnames
-$virtual_host = getenv('VIRTUAL_HOST');
-if (! empty($virtual_host))
-    array_push($AUTHORIZED_HOSTNAMES, 'http://' . $virtual_host);
+    if(isset($_SERVER['HTTP_HOST'])) {
+        if(in_array('http://'.$_SERVER['HTTP_HOST'], $AUTHORIZED_HOSTNAMES)) {
+            header("Access-Control-Allow-Origin: ${_SERVER['HTTP_HOST']}");
+        }
+        else {
+            log_and_die("Failed CORS: http://" . $_SERVER['HTTP_HOST'] .' vs '. join(',', $AUTHORIZED_HOSTNAMES));
+        }
+    }
+    else {
+        pi_log("HTTP_HOST check skipped, unknown HTTP_HOST");
+    }
 
-// Check CORS
-if(isset($_SERVER['HTTP_ORIGIN'])) {
-    if(in_array($_SERVER['HTTP_ORIGIN'], $AUTHORIZED_HOSTNAMES)) {
-        $CORS_ALLOW_ORIGIN = $_SERVER['HTTP_ORIGIN'];
+    if(isset($_SERVER['HTTP_ORIGIN'])) {
+        if(in_array($_SERVER['HTTP_ORIGIN'], $AUTHORIZED_HOSTNAMES)) {
+            header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
+        } else {
+            log_and_die("Failed CORS: " . $_SERVER['HTTP_ORIGIN'] .' vs '. join(',', $AUTHORIZED_HOSTNAMES));
+        }
     } else {
-        log_and_die("Failed CORS: " . $_SERVER['HTTP_ORIGIN'] .' vs '. join(',', $AUTHORIZED_HOSTNAMES));
+        pi_log("CORS skipped, unknown HTTP_ORIGIN");
     }
-    header("Access-Control-Allow-Origin: $CORS_ALLOW_ORIGIN");
-} else {
-    pi_log("CORS skipped, unknown HTTP_ORIGIN");
-    //pi_log("CORS allowed: " . join(',', $AUTHORIZED_HOSTNAMES));
 }
 
-// Otherwise probably same origin... out of the scope of CORS
-session_start();
+function check_csrf() {
+    // Check CSRF token
+    session_start();
 
-// Check CSRF token
-// Credit: http://php.net/manual/en/function.hash-equals.php#119576
-if(!function_exists('hash_equals')) {
-    function hash_equals($known_string, $user_string) {
-        $ret = 0;
+    // Credit: http://php.net/manual/en/function.hash-equals.php#119576
+    if(!function_exists('hash_equals')) {
+        function hash_equals($known_string, $user_string) {
+            $ret = 0;
 
-        if (strlen($known_string) !== strlen($user_string)) {
-            $user_string = $known_string;
-            $ret = 1;
+            if (strlen($known_string) !== strlen($user_string)) {
+                $user_string = $known_string;
+                $ret = 1;
+            }
+
+            $res = $known_string ^ $user_string;
+
+            for ($i = strlen($res) - 1; $i >= 0; --$i) {
+                $ret |= ord($res[$i]);
+            }
+
+            return !$ret;
         }
+    }
 
-        $res = $known_string ^ $user_string;
+    if(!isset($_SESSION['token'], $_POST['token']) || !hash_equals($_SESSION['token'], $_POST['token'])) {
+        log_and_die("Wrong token");
+    }
+}
 
-        for ($i = strlen($res) - 1; $i >= 0; --$i) {
-            $ret |= ord($res[$i]);
+function check_domain() {
+    if(isset($_POST['domain'])){
+        $validDomain = is_valid_domain_name($_POST['domain']);
+        if(!$validDomain){
+            log_and_die($_POST['domain']. ' is not a valid domain');
         }
-
-        return !$ret;
     }
 }
-
-if(!isset($_SESSION['token'], $_POST['token']) || !hash_equals($_SESSION['token'], $_POST['token'])) {
-    log_and_die("Wrong token");
-}
-
-if(isset($_POST['domain'])){
-    $validDomain = is_valid_domain_name($_POST['domain']);
-    if(!$validDomain){
-        log_and_die($_POST['domain']. ' is not a valid domain');
-    }
-}
-
 ?>
diff --git a/php/sub.php b/php/sub.php
index e4f02918..e4e8368f 100644
--- a/php/sub.php
+++ b/php/sub.php
@@ -1,6 +1,14 @@
 <?php
 require('auth.php');
 
+if(!isset($_POST['domain'], $_POST['list'], $_POST['token'])) {
+    log_and_die("Missing POST variables");
+}
+
+check_cors();
+check_csrf();
+check_domain();
+
 switch($_POST['list']) {
     case "white":
         exec("sudo pihole -w -q -d ${_POST['domain']}");