Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2025-12-24 04:38:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Require CSRF token when changing settings

Browse Source
This commit is contained in:
Mcat12
2017-04-02 20:04:39 -04:00
parent 4d9d9dc949
commit fe7f3d3873
2 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
scripts/pi-hole/php/savesettings.php
View File

@@ -130,6 +130,9 @@ function isinserverlist($addr) {
if(isset($_POST["field"]))
{
// Handle CSRF
check_csrf(isset($_POST["token"]) ? $_POST["token"] : "");
// Process request
switch ($_POST["field"]) {
// Set DNS server

9
settings.php
View File

@@ -392,6 +392,7 @@
</div>
<div class="box-footer">
<input type="hidden" name="field" value="DHCP">
<input type="hidden" name="token" value="<?php echo $token ?>">
<button type="submit" class="btn btn-primary pull-right">Save</button>
</div>
</form>
@@ -588,6 +589,7 @@
</div>
<div class="box-footer">
<input type="hidden" name="field" value="DNS">
<input type="hidden" name="token" value="<?php echo $token ?>">
<button type="submit" class="btn btn-primary pull-right">Save</button>
</div>
</form>
@@ -629,6 +631,7 @@
<form role="form" method="post">
<button type="button" class="btn btn-default confirm-flushlogs">Flush logs</button>
<input type="hidden" name="field" value="Logging">
<input type="hidden" name="token" value="<?php echo $token ?>">
<?php if($piHoleLogging) { ?>
<input type="hidden" name="action" value="Disable">
<button type="submit" class="btn btn-primary pull-right">Disable query logging</button>
@@ -713,6 +716,7 @@
</div>
<div class="box-footer">
<input type="hidden" name="field" value="API">
<input type="hidden" name="token" value="<?php echo $token ?>">
<button type="button" class="btn btn-primary api-token">Show API token</button>
<button type="submit" class="btn btn-primary pull-right">Save</button>
</div>
@@ -764,6 +768,7 @@
</div>
<div class="box-footer">
<input type="hidden" name="field" value="webUI">
<input type="hidden" name="token" value="<?php echo $token ?>">
<button type="submit" class="btn btn-primary pull-right">Save</button>
</div>
</form>
@@ -795,12 +800,15 @@
<form role="form" method="post" id="rebootform">
<input type="hidden" name="field" value="reboot">
<input type="hidden" name="token" value="<?php echo $token ?>">
</form>
<form role="form" method="post" id="restartdnsform">
<input type="hidden" name="field" value="restartdns">
<input type="hidden" name="token" value="<?php echo $token ?>">
</form>
<form role="form" method="post" id="flushlogsform">
<input type="hidden" name="field" value="flushlogs">
<input type="hidden" name="token" value="<?php echo $token ?>">
</form>
</div>
</div>
@@ -863,6 +871,7 @@ if($FTL)
<label for="zip_file">File input</label>
<input type="file" name="zip_file" id="zip_file">
<p class="help-block">Upload only Pi-hole backup files.</p>
<input type="hidden" name="token" value="<?php echo $token ?>">
<button type="submit" class="btn btn-default" name="action" value="in">Import</button>
</div>
</div>