Require CORS check on all admin pages

This is mainly added so that an ad can't enable/disable the Pi-hole by simply loading a url like `http://pi.hole/admin/index.php?disable`
2026-06-06 07:55:48 +01:00 · 2016-11-07 21:10:36 -05:00
parent 91ffc9522c
commit d2fcc36341
4 changed files with 84 additions and 55 deletions
@@ -1,6 +1,14 @@
 <?php
 require('auth.php');

+if(!isset($_POST['domain'], $_POST['list'], $_POST['token'])) {
+    log_and_die("Missing POST variables");
+}
+
+check_cors();
+check_csrf();
+check_domain();
+
 switch($_POST['list']) {
    case "white":
        exec("sudo pihole -w -q -d ${_POST['domain']}");