Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2026-05-29 12:05:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Require CORS check on all admin pages

Browse Source 
This is mainly added so that an ad can't enable/disable the Pi-hole
by simply loading a url like `http://pi.hole/admin/index.php?disable`
This commit is contained in:
Mcat12
2016-11-07 21:10:36 -05:00
parent 91ffc9522c
commit d2fcc36341
4 changed files with 84 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files
php/auth.php
+58 -48
View File
@@ -14,67 +14,77 @@ function log_and_die($message) {
die($message);
}
if(!isset($_POST['domain'], $_POST['list'], $_POST['token'])) {
log_and_die("Missing POST variables");
}
function check_cors() {
// Check CORS
$AUTHORIZED_HOSTNAMES = array(
'http://' . $_SERVER['SERVER_ADDR'],
'http://pi.hole',
'http://localhost'
);
$AUTHORIZED_HOSTNAMES = array(
'http://' . $_SERVER['SERVER_ADDR'],
'http://pi.hole',
'http://localhost'
);
# Allow user set virtual hostnames
$virtual_host = getenv('VIRTUAL_HOST');
if (! empty($virtual_host))
array_push($AUTHORIZED_HOSTNAMES, 'http://' . $virtual_host);
# Allow user set virtual hostnames
$virtual_host = getenv('VIRTUAL_HOST');
if (! empty($virtual_host))
array_push($AUTHORIZED_HOSTNAMES, 'http://' . $virtual_host);
if(isset($_SERVER['HTTP_HOST'])) {
if(in_array('http://'.$_SERVER['HTTP_HOST'], $AUTHORIZED_HOSTNAMES)) {
header("Access-Control-Allow-Origin: ${_SERVER['HTTP_HOST']}");
}
else {
log_and_die("Failed CORS: http://" . $_SERVER['HTTP_HOST'] .' vs '. join(',', $AUTHORIZED_HOSTNAMES));
}
}
else {
pi_log("HTTP_HOST check skipped, unknown HTTP_HOST");
}
// Check CORS
if(isset($_SERVER['HTTP_ORIGIN'])) {
if(in_array($_SERVER['HTTP_ORIGIN'], $AUTHORIZED_HOSTNAMES)) {
$CORS_ALLOW_ORIGIN = $_SERVER['HTTP_ORIGIN'];
if(isset($_SERVER['HTTP_ORIGIN'])) {
if(in_array($_SERVER['HTTP_ORIGIN'], $AUTHORIZED_HOSTNAMES)) {
header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
} else {
log_and_die("Failed CORS: " . $_SERVER['HTTP_ORIGIN'] .' vs '. join(',', $AUTHORIZED_HOSTNAMES));
}
} else {
log_and_die("Failed CORS: " . $_SERVER['HTTP_ORIGIN'] .' vs '. join(',', $AUTHORIZED_HOSTNAMES));
pi_log("CORS skipped, unknown HTTP_ORIGIN");
}
header("Access-Control-Allow-Origin: $CORS_ALLOW_ORIGIN");
} else {
pi_log("CORS skipped, unknown HTTP_ORIGIN");
//pi_log("CORS allowed: " . join(',', $AUTHORIZED_HOSTNAMES));
}
// Otherwise probably same origin... out of the scope of CORS
session_start();
function check_csrf() {
// Check CSRF token
session_start();
// Check CSRF token
// Credit: http://php.net/manual/en/function.hash-equals.php#119576
if(!function_exists('hash_equals')) {
function hash_equals($known_string, $user_string) {
$ret = 0;
// Credit: http://php.net/manual/en/function.hash-equals.php#119576
if(!function_exists('hash_equals')) {
function hash_equals($known_string, $user_string) {
$ret = 0;
if (strlen($known_string) !== strlen($user_string)) {
$user_string = $known_string;
$ret = 1;
if (strlen($known_string) !== strlen($user_string)) {
$user_string = $known_string;
$ret = 1;
}
$res = $known_string ^ $user_string;
for ($i = strlen($res) - 1; $i >= 0; --$i) {
$ret |= ord($res[$i]);
}
return !$ret;
}
}
$res = $known_string ^ $user_string;
if(!isset($_SESSION['token'], $_POST['token']) || !hash_equals($_SESSION['token'], $_POST['token'])) {
log_and_die("Wrong token");
}
}
for ($i = strlen($res) - 1; $i >= 0; --$i) {
$ret |= ord($res[$i]);
function check_domain() {
if(isset($_POST['domain'])){
$validDomain = is_valid_domain_name($_POST['domain']);
if(!$validDomain){
log_and_die($_POST['domain']. ' is not a valid domain');
}
return !$ret;
}
}
if(!isset($_SESSION['token'], $_POST['token']) || !hash_equals($_SESSION['token'], $_POST['token'])) {
log_and_die("Wrong token");
}
if(isset($_POST['domain'])){
$validDomain = is_valid_domain_name($_POST['domain']);
if(!$validDomain){
log_and_die($_POST['domain']. ' is not a valid domain');
}
}
?>