From d7eada81569ff97264c445d70bcdde0ea2c17ffa Mon Sep 17 00:00:00 2001
From: DL6ER <dl6er@dl6er.de>
Date: Fri, 3 Feb 2023 18:07:11 +0100
Subject: [PATCH] Remove "Remember me for 7 days" checkbox. Each user gets
 their own independent session. By default, the session will expire after 5
 minutes of no web interface being open (otherwise, it is continuously
 prolonged because of all the background API activity while refreshing the
 statistics). This timeout, however, can be set freely in pihole.toml and soon
 also in the web interface so this checkbox has stoped being useful.

Signed-off-by: DL6ER <dl6er@dl6er.de>
---
 login.php                                    |   7 +-
 scripts/pi-hole/php/auth.php                 | 134 ---------
 scripts/pi-hole/php/func.php                 | 290 -------------------
 scripts/pi-hole/php/header_authenticated.php |   5 -
 scripts/pi-hole/php/sidebar.php              |   4 +-
 style/pi-hole.css                            |   1 -
 6 files changed, 3 insertions(+), 438 deletions(-)
 delete mode 100644 scripts/pi-hole/php/auth.php
 delete mode 100644 scripts/pi-hole/php/func.php

diff --git a/login.php b/login.php
index 126dd779..e837e336 100644
--- a/login.php
+++ b/login.php
@@ -9,7 +9,6 @@
 */
 
 $wrongpassword = false;
-require_once 'func.php';
 require 'scripts/pi-hole/php/theme.php';
 require 'scripts/pi-hole/php/header.php';
 
@@ -27,7 +26,7 @@ require 'scripts/pi-hole/php/header.php';
 
         <div class="card">
             <div class="card-body login-card-body">
-                <div id="cookieInfo" class="panel-title text-center text-red" style="font-size: 150%" hidden>Verify that cookies are allowed for <code><?php echo $_SERVER['HTTP_HOST']; ?></code></div>
+                <div id="cookieInfo" class="panel-title text-center text-red" style="font-size: 150%" hidden>Verify that cookies are allowed</div>
                 <?php if ($wrongpassword) { ?>
                 <div class="form-group has-error login-box-msg">
                     <label class="control-label"><i class="fa fa-times-circle"></i> Wrong password!</label>
@@ -42,10 +41,6 @@ require 'scripts/pi-hole/php/header.php';
                             <input type="password" id="loginpw" name="pw" class="form-control" placeholder="Password" spellcheck="false" autocomplete="current-password" autofocus>
                             <span class="fa fa-key form-control-feedback"></span>
                         </div>
-                        <div>
-                            <input type="checkbox" id="logincookie" name="persistentlogin" disabled="true">
-                            <label for="logincookie">Remember me for 7 days</label>
-                        </div>
                     </div>
                     <div class="form-group">
                         <button type="submit" class="btn btn-primary form-control"><i class="fas fa-sign-in-alt"></i>&nbsp;&nbsp;&nbsp;Log in</button>
diff --git a/scripts/pi-hole/php/auth.php b/scripts/pi-hole/php/auth.php
deleted file mode 100644
index 113fe072..00000000
--- a/scripts/pi-hole/php/auth.php
+++ /dev/null
@@ -1,134 +0,0 @@
-<?php
-/* Pi-hole: A black hole for Internet advertisements
-*  (c) 2017 Pi-hole, LLC (https://pi-hole.net)
-*  Network-wide ad blocking via your own hardware.
-*
-*  This file is copyright under the latest version of the EUPL.
-*  Please see LICENSE file for your rights under this license.
-*/
-
-require_once 'func.php';
-
-$ERRORLOG = getenv('PHP_ERROR_LOG');
-if (empty($ERRORLOG)) {
-    $ERRORLOG = '/var/log/lighttpd/error-pihole.log';
-
-    if (!file_exists($ERRORLOG) || !is_writable($ERRORLOG)) {
-        $ERRORLOG = '/var/log/apache2/error.log';
-
-        if (!file_exists($ERRORLOG) || !is_writable($ERRORLOG)) {
-            $ERRORLOG = '/tmp/pi-hole-error.log';
-        }
-    }
-}
-
-function pi_log($message)
-{
-    error_log(date('Y-m-d H:i:s').': '.$message."\n", 3, $GLOBALS['ERRORLOG']);
-}
-
-function log_and_die($message)
-{
-    pi_log($message);
-
-    exit($message);
-}
-
-function check_cors()
-{
-    $ip = $_SERVER['SERVER_ADDR'];
-
-    // Check CORS
-    $AUTHORIZED_HOSTNAMES = array(
-        $ip,
-        str_replace(array('[', ']'), array('', ''), $_SERVER['SERVER_NAME']),
-        'pi.hole',
-        'localhost',
-    );
-
-    // Allow user set virtual hostnames
-    $virtual_host = getenv('VIRTUAL_HOST');
-    if (!empty($virtual_host)) {
-        array_push($AUTHORIZED_HOSTNAMES, $virtual_host);
-    }
-
-    // Allow user set CORS
-    $cors_hosts = getenv('CORS_HOSTS');
-    if (!empty($cors_hosts)) {
-        // Push all hosts from comma separated list
-        $cors_hosts_array = explode(',', $cors_hosts);
-        // Add all hosts to the list of authorized hosts
-        foreach ($cors_hosts_array as $host) {
-            array_push($AUTHORIZED_HOSTNAMES, $host);
-        }
-    }
-
-    // Since the Host header is easily manipulated, we can only check if it's wrong and can't use it
-    // to validate that the client is authorized, only unauthorized.
-    $server_host = $_SERVER['HTTP_HOST'];
-
-    // Use parse_url if HTTP_HOST contains a colon (:) to get the host name
-    // e.g.
-    // https://pi.hole
-    // pi.hole:8080
-    // However, we don't use parse_url(...) if there is no colon, since it will fail for e.g. "pi.hole"
-
-    // Don't use parse_url for IPv6 addresses, since it does not support them
-    // see PHP bug report: https://bugs.php.net/bug.php?id=72811
-    if (strpos($server_host, ':') && !strpos($server_host, '[') && !strpos($server_host, ']')) {
-        $server_host = parse_url($_SERVER['HTTP_HOST'], PHP_URL_HOST);
-    }
-    // Remove "[" ... "]"
-    $server_host = str_replace(array('[', ']'), array('', ''), $server_host);
-
-    if (isset($_SERVER['HTTP_HOST']) && !in_array($server_host, $AUTHORIZED_HOSTNAMES)) {
-        log_and_die('Failed Host Check: '.$server_host.' vs '.htmlspecialchars(join(', ', $AUTHORIZED_HOSTNAMES)));
-    }
-
-    if (isset($_SERVER['HTTP_ORIGIN'])) {
-        $server_origin = $_SERVER['HTTP_ORIGIN'];
-
-        // Detect colon in $_SERVER['HTTP_ORIGIN'] (see comment above)
-        if (strpos($server_origin, ':') && !strpos($server_origin, '[') && !strpos($server_origin, ']')) {
-            $server_origin = parse_url($_SERVER['HTTP_ORIGIN'], PHP_URL_HOST);
-        }
-        // Remove "[", "]","http://", and "https://"
-        $server_origin = str_replace(array('[', ']', 'http://', 'https://'), array('', '', '', ''), $server_origin);
-
-        if (!in_array($server_origin, $AUTHORIZED_HOSTNAMES)) {
-            log_and_die('Failed CORS: '.htmlspecialchars($server_origin).' vs '.htmlspecialchars(join(', ', $AUTHORIZED_HOSTNAMES)));
-        }
-        /* header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}"); */
-    }
-    // If there's no HTTP_ORIGIN, CORS should not be used
-}
-
-function check_csrf($token)
-{
-    // Start a new PHP session (or continue an existing one)
-    if (session_status() != PHP_SESSION_ACTIVE) {
-        start_php_session();
-    }
-
-    if (!isset($_SESSION['token'])) {
-        log_and_die('Session expired! Please re-login on the Pi-hole dashboard.');
-    }
-
-    if (empty($token)) {
-        log_and_die('Empty token! Check if cookies are enabled on your system.');
-    }
-
-    if (!hash_equals($_SESSION['token'], $token)) {
-        log_and_die('Wrong token! Please re-login on the Pi-hole dashboard.');
-    }
-}
-
-function check_domain(&$domains)
-{
-    foreach ($domains as &$domain) {
-        $validDomain = validDomain($domain);
-        if (!$validDomain) {
-            log_and_die(htmlspecialchars($domain.' is not a valid domain'));
-        }
-    }
-}
diff --git a/scripts/pi-hole/php/func.php b/scripts/pi-hole/php/func.php
deleted file mode 100644
index 48297557..00000000
--- a/scripts/pi-hole/php/func.php
+++ /dev/null
@@ -1,290 +0,0 @@
-<?php
-/* Pi-hole: A black hole for Internet advertisements
-*  (c) 2017 Pi-hole, LLC (https://pi-hole.net)
-*  Network-wide ad blocking via your own hardware.
-*
-*  This file is copyright under the latest version of the EUPL.
-*  Please see LICENSE file for your rights under this license.
-*/
-
-// Credit: http://stackoverflow.com/a/4694816/2087442
-// Modified because of https://github.com/pi-hole/AdminLTE/pull/533
-/* ini_set('pcre.recursion_limit', 1500); */
-/*
-function validDomain($domain_name, &$message = null)
-{
-    // special handling of the root zone `.`
-    if ($domain_name == '.') {
-        return true;
-    }
-
-    if (!preg_match('/^((-|_)*[a-z\\d]((-|_)*[a-z\\d])*(-|_)*)(\\.(-|_)*([a-z\\d]((-|_)*[a-z\\d])*))*$/i', $domain_name)) {
-        if ($message !== null) {
-            $message = 'it contains invalid characters';
-        }
-
-        return false;
-    }
-    if (!preg_match('/^.{1,253}$/', $domain_name)) {
-        if ($message !== null) {
-            $message = 'its length is invalid';
-        }
-
-        return false;
-    }
-    if (!preg_match('/^[^\\.]{1,63}(\\.[^\\.]{1,63})*$/', $domain_name)) {
-        if ($message !== null) {
-            $message = 'at least one label is of invalid length';
-        }
-
-        return false;
-    }
-
-    // everything is okay
-    return true;
-}
-
-function validDomainWildcard($domain_name)
-{
-    // Skip this checks for the root zone `.`
-    if ($domain_name == '.') {
-        return true;
-    }
-    // There has to be either no or at most one "*" at the beginning of a line
-    $validChars = preg_match('/^((\\*\\.)?[_a-z\\d](-*[_a-z\\d])*)(\\.([_a-z\\d](-*[a-z\\d])*))*(\\.([_a-z\\d])*)*$/i', $domain_name);
-    $lengthCheck = preg_match('/^.{1,253}$/', $domain_name);
-    $labelLengthCheck = preg_match('/^[^\\.]{1,63}(\\.[^\\.]{1,63})*$/', $domain_name);
-
-    return $validChars && $lengthCheck && $labelLengthCheck; // length of each label
-}
-
-function validIP($address)
-{
-    if (preg_match('/[.:0]/', $address) && !preg_match('/[1-9a-f]/', $address)) {
-        // Test if address contains either `:` or `0` but not 1-9 or a-f
-        return false;
-    }
-
-    return !filter_var($address, FILTER_VALIDATE_IP) === false;
-}
-
-function validCIDRIP($address)
-{
-    // This validation strategy has been taken from ../js/groups-common.js
-    $isIPv6 = strpos($address, ':') !== false;
-    if ($isIPv6) {
-        // One IPv6 element is 16bit: 0000 - FFFF
-        $v6elem = '[0-9A-Fa-f]{1,4}';
-        // dnsmasq allows arbitrary prefix-length since https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=35f93081dc9a52e64ac3b7196ad1f5c1106f8932
-        $v6cidr = '([1-9]|[1-9][0-9]|1[01][0-9]|12[0-8])';
-        $validator = "/^(((?:{$v6elem}))((?::{$v6elem}))*::((?:{$v6elem}))((?::{$v6elem}))*|((?:{$v6elem}))((?::{$v6elem})){7})\\/{$v6cidr}$/";
-
-        return preg_match($validator, $address);
-    }
-    // One IPv4 element is 8bit: 0 - 256
-    $v4elem = '(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]?|0)';
-    // dnsmasq allows arbitrary prefix-length
-    $allowedv4cidr = '(([1-9]|[12][0-9]|3[0-2]))';
-    $validator = "/^{$v4elem}\\.{$v4elem}\\.{$v4elem}\\.{$v4elem}\\/{$allowedv4cidr}$/";
-
-    return preg_match($validator, $address);
-}
-
-function validMAC($mac_addr)
-{
-    // Accepted input format: 00:01:02:1A:5F:FF (characters may be lower case)
-    return !filter_var($mac_addr, FILTER_VALIDATE_MAC) === false;
-}
-
-function get_ip_type($ip)
-{
-    return filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) ? 4 :
-        (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) ? 6 :
-        0);
-}
-*/
-function checkfile($filename)
-{
-    if (is_readable($filename)) {
-        return $filename;
-    }
-    // substitute dummy file
-    return '/dev/null';
-}
-
-// Credit: http://php.net/manual/en/function.hash-equals.php#119576
-if (!function_exists('hash_equals')) {
-    function hash_equals($known_string, $user_string)
-    {
-        $ret = 0;
-
-        if (strlen($known_string) !== strlen($user_string)) {
-            $user_string = $known_string;
-            $ret = 1;
-        }
-
-        $res = $known_string ^ $user_string;
-
-        for ($i = strlen($res) - 1; $i >= 0; --$i) {
-            $ret |= ord($res[$i]);
-        }
-
-        return !$ret;
-    }
-}
-
-function returnSuccess($message = '', $json = true)
-{
-    if ($json) {
-        return array('success' => true, 'message' => $message);
-    }
-    echo $message.'<br>';
-
-    return true;
-}
-
-function returnError($message = '', $json = true)
-{
-    $message = htmlentities($message);
-    if ($json) {
-        return array('success' => false, 'message' => $message);
-    }
-    echo $message.'<br>';
-
-    return false;
-}
-
-function getQueryTypeStr($querytype)
-{
-    $qtypes = array('A', 'AAAA', 'ANY', 'SRV', 'SOA', 'PTR', 'TXT', 'NAPTR', 'MX', 'DS', 'RRSIG', 'DNSKEY', 'NS', 'OTHER', 'SVCB', 'HTTPS');
-    $qtype = intval($querytype);
-    if ($qtype > 0 && $qtype <= count($qtypes)) {
-        return $qtypes[$qtype - 1];
-    }
-
-    return 'TYPE'.($qtype - 100);
-}
-
-// Functions to return Alert messages (success, error, warning) in JSON format.
-// Used in multiple pages.
-
-// Return Success message in JSON format
-function JSON_success($message = null)
-{
-    /* header('Content-type: application/json'); */
-    echo json_encode(array('success' => true, 'message' => $message));
-}
-
-// Return Error message in JSON format
-function JSON_error($message = null)
-{
-    /* header('Content-type: application/json'); */
-    $response = array('success' => false, 'message' => $message);
-    if (isset($_POST['action'])) {
-        array_push($response, array('action' => $_POST['action']));
-    }
-    echo json_encode($response);
-}
-
-// Return Warning message in JSON format.
-// - sends "success", because it wasn't a failure.
-// - sends "warning" to use the correct alert type.
-function JSON_warning($message = null)
-{
-    /* header('Content-type: application/json'); */
-    echo json_encode(array(
-        'success' => true,
-        'warning' => true,
-        'message' => $message,
-    ));
-}
-
-// Try to convert possible IDNA domain to Unicode
-function convertIDNAToUnicode($IDNA)
-{
-    if (extension_loaded('intl')) {
-        // we try the UTS #46 standard first
-        // as this is the new default, see https://sourceforge.net/p/icu/mailman/message/32980778/
-        // We know that this fails for some Google domains violating the standard
-        // see https://github.com/pi-hole/AdminLTE/issues/1223
-        if (defined('INTL_IDNA_VARIANT_UTS46')) {
-            // We have to use the option IDNA_NONTRANSITIONAL_TO_ASCII here
-            // to ensure sparkasse-gießen.de is not converted into
-            // sparkass-giessen.de but into xn--sparkasse-gieen-2ib.de
-            // as mandated by the UTS #46 standard
-            $unicode = idn_to_utf8($IDNA, IDNA_NONTRANSITIONAL_TO_ASCII, INTL_IDNA_VARIANT_UTS46);
-        } elseif (defined('INTL_IDNA_VARIANT_2003')) {
-            // If conversion failed, try with the (deprecated!) IDNA 2003 variant
-            // We have to check for its existence as support of this variant is
-            // scheduled for removal with PHP 8.0
-            // see https://wiki.php.net/rfc/deprecate-and-remove-intl_idna_variant_2003
-            $unicode = idn_to_utf8($IDNA, IDNA_DEFAULT, INTL_IDNA_VARIANT_2003);
-        }
-    }
-
-    // if the conversion failed (e.g. domain to long) return the original domain
-    if ($unicode == false) {
-        return $IDNA;
-    } else {
-        return $unicode;
-    }
-}
-
-// Convert a given (unicode) domain to IDNA ASCII
-function convertUnicodeToIDNA($unicode)
-{
-    if (extension_loaded('intl')) {
-        // Be prepared that this may fail and see our comments about convertIDNAToUnicode()
-        if (defined('INTL_IDNA_VARIANT_UTS46')) {
-            $IDNA = idn_to_ascii($unicode, IDNA_NONTRANSITIONAL_TO_ASCII, INTL_IDNA_VARIANT_UTS46);
-        } elseif (defined('INTL_IDNA_VARIANT_2003')) {
-            $IDNA = idn_to_ascii($unicode, IDNA_DEFAULT, INTL_IDNA_VARIANT_2003);
-        }
-    }
-
-    // if the conversion failed (e.g. domain to long) return the original domain
-    if ($IDNA == false) {
-        return $unicode;
-    } else {
-        return $IDNA;
-    }
-}
-
-// Get FTL process information (used in settings.php)
-function get_FTL_data($FTLpid, $arg)
-{
-    return trim(exec('ps -p '.$FTLpid.' -o '.$arg));
-}
-
-// Convert seconds into readable time (used in settings.php)
-function convertseconds($argument)
-{
-    $seconds = round($argument);
-    if ($seconds < 60) {
-        return sprintf('%ds', $seconds);
-    }
-    if ($seconds < 3600) {
-        return sprintf('%dm %ds', $seconds / 60, $seconds % 60);
-    }
-    if ($seconds < 86400) {
-        return sprintf('%dh %dm %ds', $seconds / 3600 % 24, $seconds / 60 % 60, $seconds % 60);
-    }
-
-    return sprintf('%dd %dh %dm %ds', $seconds / 86400, $seconds / 3600 % 24, $seconds / 60 % 60, $seconds % 60);
-}
-
-function start_php_session()
-{
-    // Prevent Session ID from being passed through URLs
-    /* ini_set('session.use_only_cookies', 1); */
-    /* session_start(); */
-    // HttpOnly: Prevents javascript XSS attacks aimed to steal the session ID
-    //
-    // SameSite=Strict: Allows servers to assert that a cookie ought not to be
-    // sent along with cross-site requests. This assertion allows user agents to
-    // mitigate the risk of cross-origin information leakage, and provides some
-    // protection against cross-site request forgery attacks.
-    // Direct support of Samesite has been added to PHP only in version 7.3
-    // We manually set the cookie option ourselves to ensure backwards compatibility
-    /* header('Set-Cookie: PHPSESSID='.session_id().'; path=/; HttpOnly; SameSite=Strict'); */
-}
diff --git a/scripts/pi-hole/php/header_authenticated.php b/scripts/pi-hole/php/header_authenticated.php
index c586b1cf..c7b1cdfc 100644
--- a/scripts/pi-hole/php/header_authenticated.php
+++ b/scripts/pi-hole/php/header_authenticated.php
@@ -8,12 +8,7 @@
 *  Please see LICENSE file for your rights under this license.
 */
 
-require 'scripts/pi-hole/php/auth.php';
-require_once 'scripts/pi-hole/php/func.php';
 require 'scripts/pi-hole/php/theme.php';
-
-check_cors();
-
 require 'header.php';
 ?>
     <link rel="stylesheet" href="<?php echo fileversion('style/vendor/datatables.min.css'); ?>">
diff --git a/scripts/pi-hole/php/sidebar.php b/scripts/pi-hole/php/sidebar.php
index 6d43f9b2..96f50faa 100644
--- a/scripts/pi-hole/php/sidebar.php
+++ b/scripts/pi-hole/php/sidebar.php
@@ -86,8 +86,8 @@
                     <a href="groups-adlists.php">
                         <i class="fa fa-fw menu-icon fa-shield-alt"></i> <span>Adists
                         <span class="pull-right-container">
-                            <span class="label bg-blue pull-right" id="num_gravity" title="Total number of domains blocked by your Pi-hole"></span>
-                            <span class="label bg-yellow pull-right" id="num_lists" title="Number of defined adlists"></span>
+                            <span class="label bg-blue pull-right" id="num_lists" title="Number of defined adlists"></span>
+                            <span class="label bg-yellow pull-right" id="num_gravity" title="Total number of domains blocked by your Pi-hole"></span>
                         </span>
                     </a>
                 </li>
diff --git a/style/pi-hole.css b/style/pi-hole.css
index bbdb06af..6bb79a3c 100644
--- a/style/pi-hole.css
+++ b/style/pi-hole.css
@@ -582,7 +582,6 @@ td.details-control {
 .login-options div:last-child {
   margin-right: 2px;
   margin-bottom: 0 !important;
-  flex: 0 1 auto;
   font-size: 95%;
 }