Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2025-12-27 05:56:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
871bef985d2affea2e32186921a680416b75ef09
web/php/auth.php

82 lines
2.1 KiB
PHP
Raw Blame History

<?php
require('func.php');
$ERRORLOG = getenv('PHP_ERROR_LOG');
if (empty($ERRORLOG)) {
$ERRORLOG = '/var/log/lighttpd/error.log';
}
function pi_log($message) {
$date = exec("date +'%Y-%m-%d %H:%M:%S'");
error_log($date . ': ' . $message . "\n", 3, $GLOBALS['ERRORLOG']);
}
function log_and_die($message) {
pi_log($message);
die($message);
}
if(!isset($_POST['domain'], $_POST['list'], $_POST['token'])) {
log_and_die("Missing POST variables");
}
$AUTHORIZED_HOSTNAMES = array(
'http://' . $_SERVER['SERVER_ADDR'],
'http://pi.hole',
'http://localhost'
);
# Allow user set virtual hostnames
$virtual_host = getenv('VIRTUAL_HOST');
if (! empty($virtual_host))
array_push($AUTHORIZED_HOSTNAMES, 'http://' . $virtual_host);
// Check CORS
if(isset($_SERVER['HTTP_ORIGIN'])) {
if(in_array($_SERVER['HTTP_ORIGIN'], $AUTHORIZED_HOSTNAMES)) {
$CORS_ALLOW_ORIGIN = $_SERVER['HTTP_ORIGIN'];
} else {
log_and_die("Failed CORS: " . $_SERVER['HTTP_ORIGIN'] .' vs '. join(',', $AUTHORIZED_HOSTNAMES));
}
header("Access-Control-Allow-Origin: $CORS_ALLOW_ORIGIN");
} else {
pi_log("CORS skipped, unknown HTTP_ORIGIN");
//pi_log("CORS allowed: " . join(',', $AUTHORIZED_HOSTNAMES));
}
// Otherwise probably same origin... out of the scope of CORS
session_start();
// Check CSRF token
// Credit: http://php.net/manual/en/function.hash-equals.php#119576
if(!function_exists('hash_equals')) {
function hash_equals($known_string, $user_string) {
$ret = 0;
if (strlen($known_string) !== strlen($user_string)) {
$user_string = $known_string;
$ret = 1;
}
$res = $known_string ^ $user_string;
for ($i = strlen($res) - 1; $i >= 0; --$i) {
$ret |= ord($res[$i]);
}
return !$ret;
}
}
if(!isset($_SESSION['token'], $_POST['token']) || !hash_equals($_SESSION['token'], $_POST['token'])) {
log_and_die("Wrong token");
}
if(isset($_POST['domain'])){
$validDomain = is_valid_domain_name($_POST['domain']);
if(!$validDomain){
log_and_die($_POST['domain']. ' is not a valid domain');
}
}
?>
Reference in New Issue View Git Blame Copy Permalink