Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2026-02-25 04:05:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,133 Commits 24 Branches 113 Tags
beeea0edfbf646799aa0abde25fe5998f63b7d6e
Commit Graph

70 Commits

Author SHA1 Message Date
DL6ER
beeea0edfb Implemented new "pihole -q <domain> -exact" argument in web UI 2016-12-06 13:30:53 +01:00
DL6ER
acbef91e9c Make sure that js/pihole/queryads.js always finds its target + remove requirement for authorization on php/queryads.php for using it within the new blocking page 2016-12-05 11:04:00 +01:00
Mcat12
0dec4b8aa0 Protect Enable/Disable with a CSRF token check 
The token is now added for all pages.
 2016-12-04 13:16:45 -05:00
Mcat12
40c6ee9f5a Remove strict flag and change Host check 
Since the Host header is easily manipulated, we can only check if
it's wrong and can't use it to validate that the client is authorized,
only unauthorized. There's no need for the strict flag anymore
because of this.
 2016-12-02 16:06:43 -05:00
Mcat12
6b8fa7dbe4 Merge remote-tracking branch 'origin/devel' into secure-pause-resume 
Conflicts:
	header.php
 2016-12-01 20:47:04 -05:00
DL6ER
fbe715c338 Small fix in password.php: Verify that there is a password hash before trying to access it 2016-11-24 12:54:26 +01:00
DL6ER
21649a2017 Extended password protection to php/queryads.php 2016-11-23 18:05:07 +01:00
DL6ER
d9adcccbc3 Merge branch 'devel' into auth 
Conflicts:
	header.php
 2016-11-23 18:02:40 +01:00
DL6ER
5b15755014 Added new check for validity of domain name 2016-11-23 12:18:27 +01:00
DL6ER
64d532a95c Pass "Invalid domain!" error message to user 2016-11-22 15:36:16 +01:00
DL6ER
7f779e482f Check if url does exists (try to resolve!) 2016-11-22 15:30:51 +01:00
DL6ER
7f7604a6af Add "Query adlists" feature 2016-11-22 15:23:30 +01:00
DL6ER
9e3a092701 Addressed codacy issues 2016-11-21 10:51:45 +01:00
Mcat12
591bc2c3f5 Change another else for codacy 2016-11-20 18:23:18 -05:00
Mcat12
2989709a23 Re-arrange check_cors if statements for codacy 2016-11-20 18:11:02 -05:00
DL6ER
f84d54558b Allow GET hash for API calls 2016-11-20 15:46:05 +01:00
DL6ER
cd75d7e7a3 Remove hash from the javascript scripts. 2016-11-20 15:34:03 +01:00
DL6ER
02dc741209 Move from GET to SESSION variables for the sake of convenience 2016-11-20 15:27:35 +01:00
DL6ER
2c93be0174 Extended current password protection to gravity.sh page 2016-11-20 14:52:53 +01:00
DL6ER
6781fa7919 Merge branch 'devel' into auth 2016-11-20 14:47:25 +01:00
DL6ER
d899293c67 Test if POST and GET variables are set before trying to actually access them. This increases code complexity noticable, let's see if codacy complains ... 2016-11-19 22:05:26 +01:00
DL6ER
ba811544f8 Okay, once more ... 2016-11-18 15:25:32 +01:00
DL6ER
f9b6d4d887 Make sure that the green "Success" box is only shown if gravity.sh returned "Pi-hole blocking is Enabled" 2016-11-18 15:04:46 +01:00
DL6ER
66e4da7724 Run gravity.sh from the web UI 2016-11-18 13:43:05 +01:00
Mcat12
b2b93e90b3 Add flag for strict CORS 
Prevents enable/disable from requests without CORS info
 2016-11-17 16:47:14 -05:00
DL6ER
4372c2e25b Extend hash auth to API calls 2016-11-16 23:35:10 +01:00
Mcat12
d2fcc36341 Require CORS check on all admin pages 
This is mainly added so that an ad can't enable/disable the Pi-hole
by simply loading a url like `http://pi.hole/admin/index.php?disable`
 2016-11-07 21:10:36 -05:00
Adam Warner
b9f186befb Revert "set default time zone for date" 2016-10-18 15:52:58 +01:00
Mcat12
871bef985d Add fallback hash_equals and use old array syntax 2016-10-13 16:25:05 -04:00
Jakob Ackermann
fb995872d1 run date command right before log event 2016-10-09 04:04:40 +02:00
Jakob Ackermann
9cd0f4b4fa use output of command date as datestring 
this will imply the system time zone. command date and the given format
are supported by the majority of linux distros
 2016-10-09 03:06:09 +02:00
Jakob Ackermann
b73d6e0329 set default time zone for date 
this prevents basic error messages from php(-cgi) for not setting the
timezone and then using UTC as default
 2016-10-04 17:57:34 +02:00
brantje
4da38e5472 Check if a domain name is valid 2016-08-17 21:18:17 +02:00
Mcat12
62feb36640 Merge devel 2016-08-16 16:08:28 -04:00
Mcat12
c41d377eb3 Fix always returning invalid parameter 2016-08-16 15:55:41 -04:00
Mcat12
7265405424 Fix possible list param exploit 
Sanitize list parameter, so that only the whitelist or blacklist are able to be read.
 2016-08-16 15:17:28 -04:00
Mcat12
122f1d4bd0 Merge branch 'devel' into get-list-XSS-fix 2016-08-02 11:58:41 -04:00
Mcat12
9f6fac65cb Fix possible XSS attack through white/black lists 2016-07-20 20:43:18 -04:00
diginc
f460607bde semicolon because php 2016-07-18 21:38:48 -05:00
diginc
b6e177de6c Set a default error log when empty 2016-07-18 21:04:17 -05:00
diginc
246599a0ba Don't need docker server IP in here anymore 2016-07-08 08:23:12 -05:00
diginc
d1ef51a358 cleanup and tested on alpine/debian 2016-07-07 23:30:58 -05:00
diginc
657fb7badc Fixes and refactoring WL/BL files more 
* CORS was required to auth (bug) - fixed
* Logging defaults to the default lighttpd error log
* Overridable error log location to support alpine/nginx container or power users
* Put the repeated code into a include for sub/add, auth.php
* Error logs say what failed much better now
* VIRTUAL_HOST should theoretically allow custom hostnames for CORS
 2016-07-07 00:28:28 -05:00
diginc
18d96f300f merge logic change from devel 2016-07-05 23:35:18 -05:00
Mcat12
cb32c5572a Fix up CORS 
Previously had been checking Origin AND Host header, but we should not
check Host header... Removed Host check and only check if Origin header
is set, because otherwise CORS doesn't apply (could be a same-origin
request).
 2016-07-03 16:29:19 -04:00
diginc
9f8060f108 re-add -d flag that got lost somehow 2016-06-28 13:28:26 -05:00
diginc
435ba91d18 thought of a better variable name 2016-06-28 12:27:44 -05:00
diginc
fb18e6b535 whitespace begone 2016-06-28 12:22:10 -05:00
diginc
5d0a399796 Remove SERVER_NAME var because of lighttpd bug 
lighttpd suffers from the same same bug/feature apache does, it fills
SERVER_NAME in with the requested URL if connonical names and server
side server name is not configured.  No thanks.

Nginx seems to have secure defaults.
 2016-06-28 12:21:16 -05:00
diginc
8ce2c28919 same changes to sub as last add commit 2016-06-28 12:21:15 -05:00