Merge pull request #3819 from craigmayhew/landing-page-security

Fixed potential security issue with $landPage receiving variables
This commit is contained in:
Adam Warner 2020-10-30 11:44:07 +00:00 committed by GitHub
commit 89d94ac3d1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -55,7 +55,16 @@ if ($serverName === "pi.hole"
// Redirect to Web Interface
exit(header("Location: /admin"));
} elseif (filter_var($serverName, FILTER_VALIDATE_IP) || in_array($serverName, $authorizedHosts)) {
// Set Splash Page output
// When directly browsing via IP or authorized hostname
// Render splash/landing page based off presence of $landPage file
// Unset variables so as to not be included in $landPage or $splashPage
unset($serverName, $svPasswd, $svEmail, $authorizedHosts, $validExtTypes, $currentUrlExt, $viewPort);
// If $landPage file is present
if (is_file(getcwd()."/$landPage")) {
include $landPage;
exit();
}
// If $landPage file was not present, Set Splash Page output
$splashPage = "
<!doctype html>
<html lang='en'>
@ -74,15 +83,7 @@ if ($serverName === "pi.hole"
</body>
</html>
";
// Set splash/landing page based off presence of $landPage
$renderPage = is_file(getcwd()."/$landPage") ? include $landPage : "$splashPage";
// Unset variables so as to not be included in $landPage
unset($serverName, $svPasswd, $svEmail, $authorizedHosts, $validExtTypes, $currentUrlExt, $viewPort);
// Render splash/landing page when directly browsing via IP or authorized hostname
exit($renderPage);
exit($splashPage);
} elseif ($currentUrlExt === "js") {
// Serve Pi-hole JavaScript for blocked domains requesting JS
exit(setHeader("js").'var x = "Pi-hole: A black hole for Internet advertisements."');