Remote code execution could have been triggered by activating some list
functionality (add and remove) via api.php.
Thanks to Kacper Szurek for finding this bug.
Signed-off-by: Mcat12 <newtoncat12@yahoo.com>
- Fix multiple php warning/error messages when this scripts are executed from AJAX requests
Example errors/warnings:
2019/01/15 13:22:22 [error] 1408#1408: *2535 FastCGI sent in stderr: "PHP message: PHP Notice: Undefined variable: api in /var/www/html/admin/scripts/pi-hole/php/sub.php on line 16
PHP message: PHP Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/admin/scripts/pi-hole/php/sub.php:8) in /var/www/html/admin/scripts/pi-hole/php/auth.php on line 81
PHP message: PHP Warning: session_start(): Cannot start session when headers already sent in /var/www/html/admin/scripts/pi-hole/php/auth.php on line 93
Signed-off-by: Michael Epstein <mepstein@mediabox.cl>
If you had these in the regex list:
- example\.com
- example
- ^example.*
And you removed "example", then the list would look like this:
- \.com
- ^.*
This behavior is fixed.
Signed-off-by: Mcat12 <newtoncat12@yahoo.com>
* Move whole project to EUPL, copy MIT license to scripts/vendor/ and style/vendor/
* Added header to main PHP files
* Modified scripts in scripts/pi-hole/php
* Added header to scripts/pi-hole/js files
* Added license header to our custom style script
* Slight reformulation
