fbe715c338
Small fix in password.php: Verify that there is a password hash before trying to access it
2016-11-24 12:54:26 +01:00
21649a2017
Extended password protection to php/queryads.php
2016-11-23 18:05:07 +01:00
d9adcccbc3
Merge branch 'devel' into auth
...
Conflicts:
header.php
2016-11-23 18:02:40 +01:00
5b15755014
Added new check for validity of domain name
2016-11-23 12:18:27 +01:00
64d532a95c
Pass "Invalid domain!" error message to user
2016-11-22 15:36:16 +01:00
7f779e482f
Check if url does exists (try to resolve!)
2016-11-22 15:30:51 +01:00
7f7604a6af
Add "Query adlists" feature
2016-11-22 15:23:30 +01:00
9e3a092701
Addressed codacy issues
2016-11-21 10:51:45 +01:00
f84d54558b
Allow GET hash for API calls
2016-11-20 15:46:05 +01:00
cd75d7e7a3
Remove hash from the javascript scripts.
2016-11-20 15:34:03 +01:00
02dc741209
Move from GET to SESSION variables for the sake of convenience
2016-11-20 15:27:35 +01:00
2c93be0174
Extended current password protection to gravity.sh page
2016-11-20 14:52:53 +01:00
6781fa7919
Merge branch 'devel' into auth
2016-11-20 14:47:25 +01:00
d899293c67
Test if POST and GET variables are set before trying to actually access them. This increases code complexity noticable, let's see if codacy complains ...
2016-11-19 22:05:26 +01:00
ba811544f8
Okay, once more ...
2016-11-18 15:25:32 +01:00
f9b6d4d887
Make sure that the green "Success" box is only shown if gravity.sh returned "Pi-hole blocking is Enabled"
2016-11-18 15:04:46 +01:00
66e4da7724
Run gravity.sh from the web UI
2016-11-18 13:43:05 +01:00
4372c2e25b
Extend hash auth to API calls
2016-11-16 23:35:10 +01:00
b9f186befb
Revert "set default time zone for date"
2016-10-18 15:52:58 +01:00
871bef985d
Add fallback hash_equals and use old array syntax
2016-10-13 16:25:05 -04:00
fb995872d1
run date command right before log event
2016-10-09 04:04:40 +02:00
9cd0f4b4fa
use output of command date as datestring
...
this will imply the system time zone. command date and the given format
are supported by the majority of linux distros
2016-10-09 03:06:09 +02:00
b73d6e0329
set default time zone for date
...
this prevents basic error messages from php(-cgi) for not setting the
timezone and then using UTC as default
2016-10-04 17:57:34 +02:00
4da38e5472
Check if a domain name is valid
2016-08-17 21:18:17 +02:00
62feb36640
Merge devel
2016-08-16 16:08:28 -04:00
c41d377eb3
Fix always returning invalid parameter
2016-08-16 15:55:41 -04:00
7265405424
Fix possible list param exploit
...
Sanitize list parameter, so that only the whitelist or blacklist are able to be read.
2016-08-16 15:17:28 -04:00
122f1d4bd0
Merge branch 'devel' into get-list-XSS-fix
2016-08-02 11:58:41 -04:00
9f6fac65cb
Fix possible XSS attack through white/black lists
2016-07-20 20:43:18 -04:00
f460607bde
semicolon because php
2016-07-18 21:38:48 -05:00
b6e177de6c
Set a default error log when empty
2016-07-18 21:04:17 -05:00
246599a0ba
Don't need docker server IP in here anymore
2016-07-08 08:23:12 -05:00
d1ef51a358
cleanup and tested on alpine/debian
2016-07-07 23:30:58 -05:00
657fb7badc
Fixes and refactoring WL/BL files more
...
* CORS was required to auth (bug) - fixed
* Logging defaults to the default lighttpd error log
* Overridable error log location to support alpine/nginx container or power users
* Put the repeated code into a include for sub/add, auth.php
* Error logs say what failed much better now
* VIRTUAL_HOST should theoretically allow custom hostnames for CORS
2016-07-07 00:28:28 -05:00
18d96f300f
merge logic change from devel
2016-07-05 23:35:18 -05:00
cb32c5572a
Fix up CORS
...
Previously had been checking Origin AND Host header, but we should not
check Host header... Removed Host check and only check if Origin header
is set, because otherwise CORS doesn't apply (could be a same-origin
request).
2016-07-03 16:29:19 -04:00
9f8060f108
re-add -d flag that got lost somehow
2016-06-28 13:28:26 -05:00
435ba91d18
thought of a better variable name
2016-06-28 12:27:44 -05:00
fb18e6b535
whitespace begone
2016-06-28 12:22:10 -05:00
5d0a399796
Remove SERVER_NAME var because of lighttpd bug
...
lighttpd suffers from the same same bug/feature apache does, it fills
SERVER_NAME in with the requested URL if connonical names and server
side server name is not configured. No thanks.
Nginx seems to have secure defaults.
2016-06-28 12:21:16 -05:00
8ce2c28919
same changes to sub as last add commit
2016-06-28 12:21:15 -05:00
b4938b0a73
Added SERVER_NAME var check for CORS and refactor
2016-06-28 12:21:15 -05:00
b3dfd41ae5
Echo output of exec command
2016-06-10 20:26:19 -05:00
7067473d89
Return correct CORS header for Host
...
If only Host was correct (FireFox and IE only set Host
for same-origin requests) then it would still use the
empty Origin header for the CORS response, leading to
`Access-Control-Allow-Origin: `
2016-05-11 16:31:07 -04:00
0e44f7b992
Complete the fix
...
This fixes the fix. I still needed to account for
`pi.hole` as a Host value.
2016-05-10 20:41:59 -04:00
8a33af6d6b
Possible fix for FireFox and IE
...
Both failed CORS as both browsers, unlike Chrome,
do not send `Origin` headers for same-origin requests.
Now the scripts check if the `Host` header equals
the IP of the Pi-hole. IE may require more fixing,
as it's IE. :P
2016-05-10 20:30:28 -04:00
05e7ebe7dd
Implement CORS
...
Only allows requests from http://pi.hole and http://<Pi's IP>
2016-05-06 16:14:32 -04:00
283f4b7978
Implement CSRF token for list editing
2016-05-02 20:33:29 -04:00
b3d3e151e0
Update list editing commands
...
Updates from using `whitelist.sh` and `blacklist.sh` to
using `pihole`. Currently includes sudo in command, but
after the scripts get updated with sudo checking that
should not be needed.
2016-04-18 22:23:43 -04:00
4d6ec1c5a5
Remove password functionality
...
After the change to 0.0.0.0 there will
be no need for a password
2016-04-18 22:07:37 -04:00
DL6ER
Adam Warner
Mcat12
Jakob Ackermann
brantje
diginc
Promofaux