From fe7f3d3873aa89c3fa698070147ff2ff03de63cd Mon Sep 17 00:00:00 2001
From: Mcat12 <newtoncat12@yahoo.com>
Date: Sun, 2 Apr 2017 20:04:39 -0400
Subject: [PATCH] Require CSRF token when changing settings

---
 scripts/pi-hole/php/savesettings.php | 3 +++
 settings.php                         | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/scripts/pi-hole/php/savesettings.php b/scripts/pi-hole/php/savesettings.php
index 5c759c6d..e78411e1 100644
--- a/scripts/pi-hole/php/savesettings.php
+++ b/scripts/pi-hole/php/savesettings.php
@@ -130,6 +130,9 @@ function isinserverlist($addr) {
 
 	if(isset($_POST["field"]))
 	{
+		// Handle CSRF
+		check_csrf(isset($_POST["token"]) ? $_POST["token"] : "");
+
 		// Process request
 		switch ($_POST["field"]) {
 			// Set DNS server
diff --git a/settings.php b/settings.php
index 29b0f91b..f7130b8a 100644
--- a/settings.php
+++ b/settings.php
@@ -392,6 +392,7 @@
 			</div>
 			<div class="box-footer">
 				<input type="hidden" name="field" value="DHCP">
+				<input type="hidden" name="token" value="<?php echo $token ?>">
 				<button type="submit" class="btn btn-primary pull-right">Save</button>
 			</div>
 			</form>
@@ -588,6 +589,7 @@
 			</div>
 			<div class="box-footer">
 				<input type="hidden" name="field" value="DNS">
+				<input type="hidden" name="token" value="<?php echo $token ?>">
 				<button type="submit" class="btn btn-primary pull-right">Save</button>
 			</div>
 			</form>
@@ -629,6 +631,7 @@
 				<form role="form" method="post">
 				<button type="button" class="btn btn-default confirm-flushlogs">Flush logs</button>
 				<input type="hidden" name="field" value="Logging">
+				<input type="hidden" name="token" value="<?php echo $token ?>">
 				<?php if($piHoleLogging) { ?>
 					<input type="hidden" name="action" value="Disable">
 					<button type="submit" class="btn btn-primary pull-right">Disable query logging</button>
@@ -713,6 +716,7 @@
 			</div>
 			<div class="box-footer">
 				<input type="hidden" name="field" value="API">
+				<input type="hidden" name="token" value="<?php echo $token ?>">
 				<button type="button" class="btn btn-primary api-token">Show API token</button>
 				<button type="submit" class="btn btn-primary pull-right">Save</button>
 			</div>
@@ -764,6 +768,7 @@
 			</div>
 			<div class="box-footer">
 				<input type="hidden" name="field" value="webUI">
+				<input type="hidden" name="token" value="<?php echo $token ?>">
 				<button type="submit" class="btn btn-primary pull-right">Save</button>
 			</div>
 			</form>
@@ -795,12 +800,15 @@
 
 				<form role="form" method="post" id="rebootform">
 					<input type="hidden" name="field" value="reboot">
+					<input type="hidden" name="token" value="<?php echo $token ?>">
 				</form>
 				<form role="form" method="post" id="restartdnsform">
 					<input type="hidden" name="field" value="restartdns">
+					<input type="hidden" name="token" value="<?php echo $token ?>">
 				</form>
 				<form role="form" method="post" id="flushlogsform">
 					<input type="hidden" name="field" value="flushlogs">
+					<input type="hidden" name="token" value="<?php echo $token ?>">
 				</form>
 			</div>
 		</div>
@@ -863,6 +871,7 @@ if($FTL)
 							<label for="zip_file">File input</label>
 							<input type="file" name="zip_file" id="zip_file">
 							<p class="help-block">Upload only Pi-hole backup files.</p>
+							<input type="hidden" name="token" value="<?php echo $token ?>">
 							<button type="submit" class="btn btn-default" name="action" value="in">Import</button>
 						</div>
 					</div>