mirror of
https://github.com/pi-hole/web.git
synced 2025-12-19 18:28:24 +00:00
8c0f785351
The information from `mg.request_info.request_uri` depends on the URL typed by the user. This information was used without any sanitization, allowing an attacker to send crafted links containing anything, including javascript code, which could be loaded and executed in a few pages. Replacing this value with `scriptname` variable fixes the issue, since this variable contains the name of the file currently being executed. This information cannot be externally manipulated and it is safe to be used on the page. Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
28 lines
1018 B
Plaintext
28 lines
1018 B
Plaintext
<? --[[
|
|
* Pi-hole: A black hole for Internet advertisements
|
|
* (c) 2023 Pi-hole, LLC (https://pi-hole.net)
|
|
* Network-wide ad blocking via your own hardware.
|
|
*
|
|
* This file is copyright under the latest version of the EUPL.
|
|
* Please see LICENSE file for your rights under this license.
|
|
--]]
|
|
|
|
mg.include('scripts/lua/header.lp','r')
|
|
?>
|
|
</head>
|
|
<body class="hold-transition layout-boxed login-page page-<?=pihole.format_path(scriptname)?>">
|
|
<div class="box login-box">
|
|
<section style="padding: 15px;">
|
|
<h2 class="error-headline text-yellow">404</h2>
|
|
<div class="error-content">
|
|
<h3><i class="fa fa-warning text-yellow"></i> Oops! Page not found.</h3>
|
|
<p>
|
|
We could not find the page you were looking for.<br>
|
|
Meanwhile, you may want to return to <a href="<?=pihole.webhome()?>">the dashboard</a>.
|
|
</p>
|
|
</div>
|
|
</section>
|
|
</div>
|
|
</body>
|
|
</html>
|