mirror of
https://github.com/pi-hole/pi-hole
synced 2024-12-22 14:58:08 +00:00
Merge pull request #3819 from craigmayhew/landing-page-security
Fixed potential security issue with $landPage receiving variables
This commit is contained in:
commit
89d94ac3d1
@ -55,7 +55,16 @@ if ($serverName === "pi.hole"
|
|||||||
// Redirect to Web Interface
|
// Redirect to Web Interface
|
||||||
exit(header("Location: /admin"));
|
exit(header("Location: /admin"));
|
||||||
} elseif (filter_var($serverName, FILTER_VALIDATE_IP) || in_array($serverName, $authorizedHosts)) {
|
} elseif (filter_var($serverName, FILTER_VALIDATE_IP) || in_array($serverName, $authorizedHosts)) {
|
||||||
// Set Splash Page output
|
// When directly browsing via IP or authorized hostname
|
||||||
|
// Render splash/landing page based off presence of $landPage file
|
||||||
|
// Unset variables so as to not be included in $landPage or $splashPage
|
||||||
|
unset($serverName, $svPasswd, $svEmail, $authorizedHosts, $validExtTypes, $currentUrlExt, $viewPort);
|
||||||
|
// If $landPage file is present
|
||||||
|
if (is_file(getcwd()."/$landPage")) {
|
||||||
|
include $landPage;
|
||||||
|
exit();
|
||||||
|
}
|
||||||
|
// If $landPage file was not present, Set Splash Page output
|
||||||
$splashPage = "
|
$splashPage = "
|
||||||
<!doctype html>
|
<!doctype html>
|
||||||
<html lang='en'>
|
<html lang='en'>
|
||||||
@ -74,15 +83,7 @@ if ($serverName === "pi.hole"
|
|||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
";
|
";
|
||||||
|
exit($splashPage);
|
||||||
// Set splash/landing page based off presence of $landPage
|
|
||||||
$renderPage = is_file(getcwd()."/$landPage") ? include $landPage : "$splashPage";
|
|
||||||
|
|
||||||
// Unset variables so as to not be included in $landPage
|
|
||||||
unset($serverName, $svPasswd, $svEmail, $authorizedHosts, $validExtTypes, $currentUrlExt, $viewPort);
|
|
||||||
|
|
||||||
// Render splash/landing page when directly browsing via IP or authorized hostname
|
|
||||||
exit($renderPage);
|
|
||||||
} elseif ($currentUrlExt === "js") {
|
} elseif ($currentUrlExt === "js") {
|
||||||
// Serve Pi-hole JavaScript for blocked domains requesting JS
|
// Serve Pi-hole JavaScript for blocked domains requesting JS
|
||||||
exit(setHeader("js").'var x = "Pi-hole: A black hole for Internet advertisements."');
|
exit(setHeader("js").'var x = "Pi-hole: A black hole for Internet advertisements."');
|
||||||
|
Loading…
Reference in New Issue
Block a user