Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2026-06-04 15:03:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,140 Commits 27 Branches 114 Tags
b987b79b17ccbf73d8ebff5d2356e33775103b13
Commit Graph

74 Commits

Author SHA1 Message Date
DL6ER b987b79b17 Add maximum width of 400px 2016-12-09 16:45:21 +01:00
DL6ER 847c58a4c7 changed the placeholder from "Enter password to continue" to "Enter password to unlock" 2016-12-09 14:13:06 +01:00
DL6ER c2686e6c4c Slightly blurred text and path 2016-12-09 14:10:48 +01:00
DL6ER eb3085110f Moving path draft 2016-12-09 13:58:07 +01:00
DL6ER 2b5e3f4da9 First draft of animated logo using pure SVG + CSS 2016-12-09 13:18:29 +01:00
DL6ER 9c7dc19d80 Add custom login page 2016-12-08 16:39:44 +01:00
Mcat12 0dec4b8aa0 Protect Enable/Disable with a CSRF token check 
The token is now added for all pages.
 2016-12-04 13:16:45 -05:00
Mcat12 40c6ee9f5a Remove strict flag and change Host check 
Since the Host header is easily manipulated, we can only check if
it's wrong and can't use it to validate that the client is authorized,
only unauthorized. There's no need for the strict flag anymore
because of this.
 2016-12-02 16:06:43 -05:00
Mcat12 6b8fa7dbe4 Merge remote-tracking branch 'origin/devel' into secure-pause-resume 
Conflicts:
	header.php
 2016-12-01 20:47:04 -05:00
DL6ER fbe715c338 Small fix in password.php: Verify that there is a password hash before trying to access it 2016-11-24 12:54:26 +01:00
DL6ER 21649a2017 Extended password protection to php/queryads.php 2016-11-23 18:05:07 +01:00
DL6ER d9adcccbc3 Merge branch 'devel' into auth 
Conflicts:
	header.php
 2016-11-23 18:02:40 +01:00
DL6ER 5b15755014 Added new check for validity of domain name 2016-11-23 12:18:27 +01:00
DL6ER 64d532a95c Pass "Invalid domain!" error message to user 2016-11-22 15:36:16 +01:00
DL6ER 7f779e482f Check if url does exists (try to resolve!) 2016-11-22 15:30:51 +01:00
DL6ER 7f7604a6af Add "Query adlists" feature 2016-11-22 15:23:30 +01:00
DL6ER 9e3a092701 Addressed codacy issues 2016-11-21 10:51:45 +01:00
Mcat12 591bc2c3f5 Change another else for codacy 2016-11-20 18:23:18 -05:00
Mcat12 2989709a23 Re-arrange check_cors if statements for codacy 2016-11-20 18:11:02 -05:00
DL6ER f84d54558b Allow GET hash for API calls 2016-11-20 15:46:05 +01:00
DL6ER cd75d7e7a3 Remove hash from the javascript scripts. 2016-11-20 15:34:03 +01:00
DL6ER 02dc741209 Move from GET to SESSION variables for the sake of convenience 2016-11-20 15:27:35 +01:00
DL6ER 2c93be0174 Extended current password protection to gravity.sh page 2016-11-20 14:52:53 +01:00
DL6ER 6781fa7919 Merge branch 'devel' into auth 2016-11-20 14:47:25 +01:00
DL6ER d899293c67 Test if POST and GET variables are set before trying to actually access them. This increases code complexity noticable, let's see if codacy complains ... 2016-11-19 22:05:26 +01:00
DL6ER ba811544f8 Okay, once more ... 2016-11-18 15:25:32 +01:00
DL6ER f9b6d4d887 Make sure that the green "Success" box is only shown if gravity.sh returned "Pi-hole blocking is Enabled" 2016-11-18 15:04:46 +01:00
DL6ER 66e4da7724 Run gravity.sh from the web UI 2016-11-18 13:43:05 +01:00
Mcat12 b2b93e90b3 Add flag for strict CORS 
Prevents enable/disable from requests without CORS info
 2016-11-17 16:47:14 -05:00
DL6ER 4372c2e25b Extend hash auth to API calls 2016-11-16 23:35:10 +01:00
Mcat12 d2fcc36341 Require CORS check on all admin pages 
This is mainly added so that an ad can't enable/disable the Pi-hole
by simply loading a url like `http://pi.hole/admin/index.php?disable`
 2016-11-07 21:10:36 -05:00
Adam Warner b9f186befb Revert "set default time zone for date" 2016-10-18 15:52:58 +01:00
Mcat12 871bef985d Add fallback hash_equals and use old array syntax 2016-10-13 16:25:05 -04:00
Jakob Ackermann fb995872d1 run date command right before log event 2016-10-09 04:04:40 +02:00
Jakob Ackermann 9cd0f4b4fa use output of command date as datestring 
this will imply the system time zone. command date and the given format
are supported by the majority of linux distros
 2016-10-09 03:06:09 +02:00
Jakob Ackermann b73d6e0329 set default time zone for date 
this prevents basic error messages from php(-cgi) for not setting the
timezone and then using UTC as default
 2016-10-04 17:57:34 +02:00
brantje 4da38e5472 Check if a domain name is valid 2016-08-17 21:18:17 +02:00
Mcat12 62feb36640 Merge devel 2016-08-16 16:08:28 -04:00
Mcat12 c41d377eb3 Fix always returning invalid parameter 2016-08-16 15:55:41 -04:00
Mcat12 7265405424 Fix possible list param exploit 
Sanitize list parameter, so that only the whitelist or blacklist are able to be read.
 2016-08-16 15:17:28 -04:00
Mcat12 122f1d4bd0 Merge branch 'devel' into get-list-XSS-fix 2016-08-02 11:58:41 -04:00
Mcat12 9f6fac65cb Fix possible XSS attack through white/black lists 2016-07-20 20:43:18 -04:00
diginc f460607bde semicolon because php 2016-07-18 21:38:48 -05:00
diginc b6e177de6c Set a default error log when empty 2016-07-18 21:04:17 -05:00
diginc 246599a0ba Don't need docker server IP in here anymore 2016-07-08 08:23:12 -05:00
diginc d1ef51a358 cleanup and tested on alpine/debian 2016-07-07 23:30:58 -05:00
diginc 657fb7badc Fixes and refactoring WL/BL files more 
* CORS was required to auth (bug) - fixed
* Logging defaults to the default lighttpd error log
* Overridable error log location to support alpine/nginx container or power users
* Put the repeated code into a include for sub/add, auth.php
* Error logs say what failed much better now
* VIRTUAL_HOST should theoretically allow custom hostnames for CORS
 2016-07-07 00:28:28 -05:00
diginc 18d96f300f merge logic change from devel 2016-07-05 23:35:18 -05:00
Mcat12 cb32c5572a Fix up CORS 
Previously had been checking Origin AND Host header, but we should not
check Host header... Removed Host check and only check if Origin header
is set, because otherwise CORS doesn't apply (could be a same-origin
request).
 2016-07-03 16:29:19 -04:00
diginc 9f8060f108 re-add -d flag that got lost somehow 2016-06-28 13:28:26 -05:00