From e5c7549f8f431a51601e3d8b1be6f439c2a0618d Mon Sep 17 00:00:00 2001
From: Craig Mayhew <craig@mayhew.io>
Date: Sun, 16 Aug 2020 17:43:15 +0100
Subject: [PATCH 1/2] Fixed potential security issue with $landPage receiving
 variables

Signed-off-by: craigmayhew <craig@mayhew.io>
---
 advanced/index.php | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/advanced/index.php b/advanced/index.php
index 5a683c8e..f0ac382b 100644
--- a/advanced/index.php
+++ b/advanced/index.php
@@ -55,7 +55,16 @@ if ($serverName === "pi.hole"
     // Redirect to Web Interface
     exit(header("Location: /admin"));
 } elseif (filter_var($serverName, FILTER_VALIDATE_IP) || in_array($serverName, $authorizedHosts)) {
-    // Set Splash Page output
+    // When directly browsing via IP or authorized hostname
+    // Render splash/landing page based off presence of $landPage file
+    // If $landPage file is present
+    if (is_file(getcwd()."/$landPage")) {
+        //Unset variables so as to not be included in $landPage
+        unset($serverName, $svPasswd, $svEmail, $authorizedHosts, $validExtTypes, $currentUrlExt, $viewPort);
+        include $landPage;
+        exit();
+    }
+    // If $landPage file was not present, Set Splash Page output
     $splashPage = "
     <!doctype html>
     <html lang='en'>
@@ -74,15 +83,7 @@ if ($serverName === "pi.hole"
         </body>
     </html>
     ";
-
-    // Set splash/landing page based off presence of $landPage
-    $renderPage = is_file(getcwd()."/$landPage") ? include $landPage : "$splashPage";
-
-    // Unset variables so as to not be included in $landPage
-    unset($serverName, $svPasswd, $svEmail, $authorizedHosts, $validExtTypes, $currentUrlExt, $viewPort);
-
-    // Render splash/landing page when directly browsing via IP or authorized hostname
-    exit($renderPage);
+    exit($splashPage);
 } elseif ($currentUrlExt === "js") {
     // Serve Pi-hole JavaScript for blocked domains requesting JS
     exit(setHeader("js").'var x = "Pi-hole: A black hole for Internet advertisements."');

From 95a28ae1257e1500d2b1ff1fb910698d6f4834ba Mon Sep 17 00:00:00 2001
From: Craig Mayhew <craig@mayhew.io>
Date: Wed, 28 Oct 2020 18:29:22 +0000
Subject: [PATCH 2/2] unset() now also occurs for $splashPage

After some email discussion with Adam, there is a preference to also prevent $splashPage from using variables

Signed-off-by: craigmayhew <craig@mayhew.io>
---
 advanced/index.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/advanced/index.php b/advanced/index.php
index f0ac382b..ca8c35e4 100644
--- a/advanced/index.php
+++ b/advanced/index.php
@@ -57,10 +57,10 @@ if ($serverName === "pi.hole"
 } elseif (filter_var($serverName, FILTER_VALIDATE_IP) || in_array($serverName, $authorizedHosts)) {
     // When directly browsing via IP or authorized hostname
     // Render splash/landing page based off presence of $landPage file
+    // Unset variables so as to not be included in $landPage or $splashPage
+    unset($serverName, $svPasswd, $svEmail, $authorizedHosts, $validExtTypes, $currentUrlExt, $viewPort);
     // If $landPage file is present
     if (is_file(getcwd()."/$landPage")) {
-        //Unset variables so as to not be included in $landPage
-        unset($serverName, $svPasswd, $svEmail, $authorizedHosts, $validExtTypes, $currentUrlExt, $viewPort);
         include $landPage;
         exit();
     }