mirror of
https://github.com/pi-hole/web.git
synced 2025-12-26 05:26:19 +00:00
109 lines
3.8 KiB
PHP
109 lines
3.8 KiB
PHP
<?php
|
|
/* Pi-hole: A black hole for Internet advertisements
|
|
* (c) 2017 Pi-hole, LLC (https://pi-hole.net)
|
|
* Network-wide ad blocking via your own hardware.
|
|
*
|
|
* This file is copyright under the latest version of the EUPL.
|
|
* Please see LICENSE file for your rights under this license.
|
|
*/
|
|
|
|
require_once 'func.php';
|
|
require_once 'persistentlogin_token.php';
|
|
|
|
// Start a new PHP session (or continue an existing one)
|
|
start_php_session();
|
|
|
|
// Read setupVars.conf file
|
|
$setupVars = parse_ini_file('/etc/pihole/setupVars.conf');
|
|
// Try to read password hash from setupVars.conf
|
|
if (isset($setupVars['WEBPASSWORD'])) {
|
|
$pwhash = $setupVars['WEBPASSWORD'];
|
|
} else {
|
|
$pwhash = '';
|
|
}
|
|
|
|
function verifyPassword($pwhash, $use_api = false)
|
|
{
|
|
$validpassword = true;
|
|
|
|
// Test if password is set
|
|
if (strlen($pwhash) > 0) {
|
|
// Check for and authorize from persistent cookie
|
|
if (isset($_COOKIE['persistentlogin'])) {
|
|
if (checkValidityPersistentLoginToken($_COOKIE['persistentlogin'])) {
|
|
$_SESSION['auth'] = true;
|
|
} else {
|
|
// Invalid cookie
|
|
$_SESSION['auth'] = false;
|
|
setcookie('persistentlogin', '', 1);
|
|
}
|
|
} elseif (isset($_POST['pw'])) {
|
|
// Compare doubly hashes password input with saved hash
|
|
$postinput = hash('sha256', hash('sha256', $_POST['pw']));
|
|
|
|
if (hash_equals($pwhash, $postinput)) {
|
|
// Save previously accessed page, before clear the session
|
|
$redirect_url = 'index.php';
|
|
if (isset($_SESSION['prev_url'])) {
|
|
$redirect_url = $_SESSION['prev_url'];
|
|
}
|
|
|
|
// Regenerate session ID to prevent session fixation
|
|
session_regenerate_id();
|
|
|
|
// Clear the old session
|
|
$_SESSION = array();
|
|
|
|
// Set hash in new session
|
|
$_SESSION['hash'] = $pwhash;
|
|
|
|
// Set persistent cookie if selected
|
|
if (isset($_POST['persistentlogin'])) {
|
|
// Generate cookie with new expiry
|
|
$token = genPersistentLoginToken();
|
|
$time = time() + 60 * 60 * 24 * 7; // 7 days
|
|
writePersistentLoginToken($token, $time);
|
|
// setcookie($name, $value, $expire, $path, $domain, $secure, $httponly)
|
|
setcookie('persistentlogin', $token, $time, null, null, null, true);
|
|
}
|
|
|
|
$_SESSION['auth'] = true;
|
|
|
|
// Login successful, redirect the user to the original requested page
|
|
if (
|
|
$_SERVER['REQUEST_METHOD'] === 'POST' &&
|
|
strlen($_SERVER['SCRIPT_NAME']) >= 10 &&
|
|
substr_compare($_SERVER['SCRIPT_NAME'], '/login.php', -10) === 0
|
|
) {
|
|
header('Location: '.$redirect_url);
|
|
exit;
|
|
}
|
|
} else {
|
|
$_SESSION['auth'] = false;
|
|
$validpassword = false;
|
|
}
|
|
} elseif (isset($_SESSION['hash'])) {
|
|
// Compare auth hash with saved hash
|
|
if (hash_equals($pwhash, $_SESSION['hash'])) {
|
|
$_SESSION['auth'] = true;
|
|
}
|
|
} elseif ($use_api && isset($_GET['auth'])) {
|
|
// API can use the hash to get data without logging in via plain-text password
|
|
if (hash_equals($pwhash, $_GET['auth'])) {
|
|
$_SESSION['auth'] = true;
|
|
}
|
|
} else {
|
|
// Password or hash wrong
|
|
$_SESSION['auth'] = false;
|
|
}
|
|
} else {
|
|
// No password set
|
|
$_SESSION['auth'] = true;
|
|
}
|
|
|
|
return $validpassword;
|
|
}
|
|
|
|
$wrongpassword = !verifyPassword($pwhash, isset($api));
|
|
$auth = $_SESSION['auth'];
|