mirror of
https://github.com/pi-hole/web.git
synced 2025-12-27 05:56:22 +00:00
cb32c5572a
Previously had been checking Origin AND Host header, but we should not check Host header... Removed Host check and only check if Origin header is set, because otherwise CORS doesn't apply (could be a same-origin request).
30 lines
842 B
PHP
30 lines
842 B
PHP
<?php
|
|
if(!isset($_POST['domain'], $_POST['list'], $_POST['token']))
|
|
die("Missing POST variables");
|
|
|
|
// Check CORS
|
|
if(isset($_SERVER['HTTP_ORIGIN'])) {
|
|
if ($_SERVER['HTTP_ORIGIN'] == "http://pi.hole" ||
|
|
$_SERVER['HTTP_ORIGIN'] == "http://${_SERVER['SERVER_ADDR']}" ||
|
|
$_SERVER['HTTP_ORIGIN'] == "http://localhost"
|
|
)
|
|
header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
|
|
else
|
|
die("Failed CORS");
|
|
}
|
|
// Otherwise probably same origin... out of the scope of CORS
|
|
|
|
// Check CSRF token
|
|
session_start();
|
|
if(!hash_equals($_SESSION['token'], $_POST['token']))
|
|
die("Wrong token");
|
|
|
|
switch($_POST['list']) {
|
|
case "white":
|
|
exec("sudo pihole -w -q -d ${_POST['domain']}");
|
|
break;
|
|
case "black":
|
|
exec("sudo pihole -b -q -d ${_POST['domain']}");
|
|
break;
|
|
}
|