From 00d62b34239a0cabe9fac4cfaeab27b4173951f2 Mon Sep 17 00:00:00 2001
From: andofrjando <andofrjando@users.noreply.github.com>
Date: Sat, 16 Sep 2017 10:24:37 +0800
Subject: [PATCH 1/3] This fixes the following bug: If Pi-Hole is behind a
 reverse proxy that uses SSL, then the block page will not load resources such
 as `blockingpage.css` and `jquery.min.js` as the insecure `http://` is hard
 coded. Browsers will block attempts to load insecure resources if the page is
 loaded of SSL. The fix is acheived by checking `$_SERVER['HTTPS']` and
 setting the variable `$proto` to either `http` or `https`. The harcoded
 `http` is replaced by the contents of this variable.

---
 advanced/index.php | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/advanced/index.php b/advanced/index.php
index 911f3cc8..5e88a050 100644
--- a/advanced/index.php
+++ b/advanced/index.php
@@ -28,7 +28,7 @@ $authorizedHosts = [];
 
 // Append FQDN to $authorizedHosts
 if (!empty($svFQDN)) array_push($authorizedHosts, $svFQDN);
-  
+
 // Append virtual hostname to $authorizedHosts
 if (!empty($_SERVER["VIRTUAL_HOST"])) {
     array_push($authorizedHosts, $_SERVER["VIRTUAL_HOST"]);
@@ -40,6 +40,15 @@ $validExtTypes = array("asp", "htm", "html", "php", "rss", "xml", "");
 // Get extension of current URL
 $currentUrlExt = pathinfo($_SERVER["REQUEST_URI"], PATHINFO_EXTENSION);
 
+// Check if this is served over HTTP or HTTPS
+if(isset($_SERVER['HTTPS'])) {
+    if ($_SERVER['HTTPS'] == "on") {
+        $proto = "https";
+    } else {
+        $proto = "http";
+    }
+}
+
 // Set mobile friendly viewport
 $viewPort = '<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>';
 
@@ -60,7 +69,7 @@ if ($serverName === "pi.hole") {
         <link rel='stylesheet' href='/pihole/blockingpage.css' type='text/css'/>
     </head><body id='splashpage'><img src='/admin/img/logo.svg'/><br/>Pi-<b>hole</b>: Your black hole for Internet advertisements</body></html>
     ";
-    
+
     // Render splash page or landing page when directly browsing via IP or auth'd hostname
     $renderPage = is_file(getcwd()."/$landPage") ? include $landPage : "$splashPage";
     unset($serverName, $svFQDN, $svPasswd, $svEmail, $authorizedHosts, $validExtTypes, $currentUrlExt, $viewPort);
@@ -134,7 +143,7 @@ function queryAds($serverName) {
     } catch (Exception $e) {
         return array("0" => "error", "1" => $e->getMessage());
     }
-  
+
 }
 
 $queryAds = queryAds($serverName);
@@ -201,10 +210,10 @@ if (explode("-", $phVersion)[1] != "0")
   <?=setHeader() ?>
   <meta name="robots" content="noindex,nofollow"/>
   <meta http-equiv="x-dns-prefetch-control" content="off">
-  <link rel="shortcut icon" href="http://pi.hole/admin/img/favicon.png" type="image/x-icon"/>
-  <link rel="stylesheet" href="http://pi.hole/pihole/blockingpage.css" type="text/css"/>
+  <link rel="shortcut icon" href="<?php echo $proto; ?>://pi.hole/admin/img/favicon.png" type="image/x-icon"/>
+  <link rel="stylesheet" href="<?php echo $proto; ?>://pi.hole/pihole/blockingpage.css" type="text/css"/>
   <title>● <?=$serverName ?></title>
-  <script src="http://pi.hole/admin/scripts/vendor/jquery.min.js"></script>
+  <script src="<?php echo $proto; ?>://pi.hole/admin/scripts/vendor/jquery.min.js"></script>
   <script>
     window.onload = function () {
       <?php
@@ -264,7 +273,7 @@ if (explode("-", $phVersion)[1] != "0")
   <div id="bpMoreInfo">
     <span id="bpFoundIn"><span><?=$featuredTotal ?></span><?=$adlistsCount ?></span>
     <pre id='bpQueryOutput'><?php if ($featuredTotal > 0) foreach ($queryResults as $num => $value) { echo "<span>[$num]:</span>$adlistsUrls[$num]\n"; } ?></pre>
-    
+
     <form id="bpWLButtons" class="buttons">
       <input id="bpWLDomain" type="text" value="<?=$serverName ?>" disabled/>
       <input id="bpWLPassword" type="password" placeholder="<?=$wlPlaceHolder ?>" disabled/><button id="bpWhitelist" type="button" disabled></button>

From 5e48b3f7f7116996fcdfe8d533e2e3e171d0c5ba Mon Sep 17 00:00:00 2001
From: andofrjando <andofrjando@users.noreply.github.com>
Date: Sat, 16 Sep 2017 11:24:38 +0800
Subject: [PATCH 2/3] Fix one mistake where `$proto` would not be created if
 `$_SERVER['HTTPS']` exists but is not set to `on`

---
 advanced/index.php | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/advanced/index.php b/advanced/index.php
index 5e88a050..62b861dc 100644
--- a/advanced/index.php
+++ b/advanced/index.php
@@ -41,12 +41,10 @@ $validExtTypes = array("asp", "htm", "html", "php", "rss", "xml", "");
 $currentUrlExt = pathinfo($_SERVER["REQUEST_URI"], PATHINFO_EXTENSION);
 
 // Check if this is served over HTTP or HTTPS
-if(isset($_SERVER['HTTPS'])) {
-    if ($_SERVER['HTTPS'] == "on") {
-        $proto = "https";
-    } else {
-        $proto = "http";
-    }
+if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
+    $proto = "https";
+} else {
+    $proto = "http";
 }
 
 // Set mobile friendly viewport

From 6323d5afedfd06ca7a2e527b953bee415aee2a57 Mon Sep 17 00:00:00 2001
From: andofrjando <andofrjando@users.noreply.github.com>
Date: Fri, 22 Sep 2017 07:15:03 +0800
Subject: [PATCH 3/3] Use PHP short echo tag to avoid Codacy expecting an
 escaping function

---
 advanced/index.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/advanced/index.php b/advanced/index.php
index 62b861dc..a44423e3 100644
--- a/advanced/index.php
+++ b/advanced/index.php
@@ -208,10 +208,10 @@ if (explode("-", $phVersion)[1] != "0")
   <?=setHeader() ?>
   <meta name="robots" content="noindex,nofollow"/>
   <meta http-equiv="x-dns-prefetch-control" content="off">
-  <link rel="shortcut icon" href="<?php echo $proto; ?>://pi.hole/admin/img/favicon.png" type="image/x-icon"/>
-  <link rel="stylesheet" href="<?php echo $proto; ?>://pi.hole/pihole/blockingpage.css" type="text/css"/>
+  <link rel="shortcut icon" href="<?=$proto ?>://pi.hole/admin/img/favicon.png" type="image/x-icon"/>
+  <link rel="stylesheet" href="<?=$proto ?>://pi.hole/pihole/blockingpage.css" type="text/css"/>
   <title>● <?=$serverName ?></title>
-  <script src="<?php echo $proto; ?>://pi.hole/admin/scripts/vendor/jquery.min.js"></script>
+  <script src="<?=$proto ?>://pi.hole/admin/scripts/vendor/jquery.min.js"></script>
   <script>
     window.onload = function () {
       <?php