Merge pull request #466 from pi-hole/fix/csrf-security

Add CSRF token
pi-hole · Apr 6, 2017 · 52a5fb6 · 52a5fb6
2 parents acc8334 + 3d0a350
commit 52a5fb6
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 6 deletions.
diff --git a/scripts/pi-hole/js/debug.js b/scripts/pi-hole/js/debug.js
@@ -29,20 +29,21 @@ function eventsource() {
     var ta = $("#output");
     var upload = $( "#upload" );
     var checked = "";
+    var token = encodeURIComponent($("#token").html());
 
     if(upload.prop("checked"))
     {
-      checked = "upload";
+        checked = "upload";
     }
 
     // IE does not support EventSource - load whole content at once
     if (typeof EventSource !== "function") {
-        httpGet(ta,"/admin/scripts/pi-hole/php/debug.php?IE&"+checked);
+        httpGet(ta,"/admin/scripts/pi-hole/php/debug.php?IE&token="+token+"&"+checked);
         return;
     }
 
     var host = window.location.host;
-    var source = new EventSource("/admin/scripts/pi-hole/php/debug.php?"+checked);
+    var source = new EventSource("/admin/scripts/pi-hole/php/debug.php?&token="+token+"&"+checked);
 
     // Reset and show field
     ta.empty();

diff --git a/scripts/pi-hole/php/debug.php b/scripts/pi-hole/php/debug.php
@@ -5,6 +5,18 @@
 header('Content-Type: text/event-stream');
 header('Cache-Control: no-cache');
 
+require "password.php";
+require "auth.php";
+
+if(!$auth) {
+    die("Unauthorized");
+}
+
+check_cors();
+
+$token = isset($_GET["token"]) ? $_GET["token"] : "";
+check_csrf($token);
+
 function echoEvent($datatext) {
     if(!isset($_GET["IE"]))
       echo "data: ".implode("\ndata: ", explode("\n", $datatext))."\n\n";

diff --git a/scripts/pi-hole/php/header.php b/scripts/pi-hole/php/header.php
@@ -12,6 +12,12 @@
 
     check_cors();
 
+    // Generate CSRF token
+    if(empty($_SESSION['token'])) {
+        $_SESSION['token'] = base64_encode(openssl_random_pseudo_bytes(32));
+    }
+    $token = $_SESSION['token'];
+
     // Try to get temperature value from different places (OS dependent)
     if(file_exists("/sys/class/thermal/thermal_zone0/temp"))
     {
@@ -201,6 +207,11 @@
         <p>To enable Javascript click <a href="http://www.enable-javascript.com/" target="_blank">here</a></p><label for="js-hide">Close</label></div>
 </div>
 <!-- /JS Warning -->
+<?php
+if($auth) {
+    echo "<div id='token' hidden>$token</div>";
+}
+?>
 <script src="scripts/pi-hole/js/header.js"></script>
 <!-- Send token to JS -->
 <div id="token" hidden><?php if($auth) echo $token; ?></div>

diff --git a/scripts/pi-hole/php/savesettings.php b/scripts/pi-hole/php/savesettings.php
@@ -159,6 +159,9 @@ function readAdlists()
 
 	if(isset($_POST["field"]))
 	{
+		// Handle CSRF
+		check_csrf(isset($_POST["token"]) ? $_POST["token"] : "");
+
 		// Process request
 		switch ($_POST["field"]) {
 			// Set DNS server

diff --git a/scripts/pi-hole/php/teleporter.php b/scripts/pi-hole/php/teleporter.php
@@ -7,11 +7,13 @@
 *  Please see LICENSE file for your rights under this license. */
 
 require "password.php";
+require "auth.php"; // Also imports func.php
+
 if (php_sapi_name() !== "cli") {
 	if(!$auth) die("Not authorized");
+	check_csrf(isset($_POST["token"]) ? $_POST["token"] : "");
 }
 
-require('func.php');
 function process_zip($name)
 {
 	global $zip;

diff --git a/settings.php b/settings.php
@@ -1,4 +1,4 @@
-<?php /* 
+<?php /*
 *    Pi-hole: A black hole for Internet advertisements
 *    (c) 2017 Pi-hole, LLC (https://pi-hole.net)
 *    Network-wide ad blocking via your own hardware.
@@ -400,6 +400,7 @@ function convertseconds($argument) {
 			</div>
 			<div class="box-footer">
 				<input type="hidden" name="field" value="DHCP">
+				<input type="hidden" name="token" value="<?php echo $token ?>">
 				<button type="submit" class="btn btn-primary pull-right">Save</button>
 			</div>
 			</form>
@@ -596,6 +597,7 @@ function convertseconds($argument) {
 			</div>
 			<div class="box-footer">
 				<input type="hidden" name="field" value="DNS">
+				<input type="hidden" name="token" value="<?php echo $token ?>">
 				<button type="submit" class="btn btn-primary pull-right">Save</button>
 			</div>
 			</form>
@@ -637,6 +639,7 @@ function convertseconds($argument) {
 				<form role="form" method="post">
 				<button type="button" class="btn btn-default confirm-flushlogs">Flush logs</button>
 				<input type="hidden" name="field" value="Logging">
+				<input type="hidden" name="token" value="<?php echo $token ?>">
 				<?php if($piHoleLogging) { ?>
 					<input type="hidden" name="action" value="Disable">
 					<button type="submit" class="btn btn-primary pull-right">Disable query logging</button>
@@ -757,6 +760,7 @@ function convertseconds($argument) {
 			</div>
 			<div class="box-footer">
 				<input type="hidden" name="field" value="API">
+				<input type="hidden" name="token" value="<?php echo $token ?>">
 				<button type="button" class="btn btn-primary api-token">Show API token</button>
 				<button type="submit" class="btn btn-primary pull-right">Save</button>
 			</div>
@@ -808,6 +812,7 @@ function convertseconds($argument) {
 			</div>
 			<div class="box-footer">
 				<input type="hidden" name="field" value="webUI">
+				<input type="hidden" name="token" value="<?php echo $token ?>">
 				<button type="submit" class="btn btn-primary pull-right">Save</button>
 			</div>
 			</form>
@@ -839,12 +844,15 @@ function convertseconds($argument) {
 
 				<form role="form" method="post" id="rebootform">
 					<input type="hidden" name="field" value="reboot">
+					<input type="hidden" name="token" value="<?php echo $token ?>">
 				</form>
 				<form role="form" method="post" id="restartdnsform">
 					<input type="hidden" name="field" value="restartdns">
+					<input type="hidden" name="token" value="<?php echo $token ?>">
 				</form>
 				<form role="form" method="post" id="flushlogsform">
 					<input type="hidden" name="field" value="flushlogs">
+					<input type="hidden" name="token" value="<?php echo $token ?>">
 				</form>
 			</div>
 		</div>
@@ -883,6 +891,7 @@ function get_FTL_data($arg)
 			<div class="box-body">
 			<?php if (extension_loaded('zip')) { ?>
 				<form role="form" method="post" id="takeoutform" action="scripts/pi-hole/php/teleporter.php" target="_blank"  enctype="multipart/form-data">
+					<input type="hidden" name="token" value="<?php echo $token ?>">
 					<div class="col-lg-12">
 						<p>Export your Pi-hole lists as downloadable ZIP file</p>
 						<button type="submit" class="btn btn-default">Export</button>
@@ -912,7 +921,7 @@ function get_FTL_data($arg)
 					</div>
 				</form>
 			<?php } else { ?>
-				<p>The PHP extension <tt>zip</tt> is not loaded. Please ensure it is installed and loaded if you want to use the Pi-hole teleporter.</p>
+				<p>The PHP extension <code>zip</code> is not loaded. Please ensure it is installed and loaded if you want to use the Pi-hole teleporter.</p>
 			<?php } ?>
 			</div>
 		</div>