Merge pull request #1737 from pi-hole/release/v5.4

Pi-hole web v5.4
pi-hole · Feb 16, 2021 · 989e1ba · 989e1ba
2 parents 1521dfe + 64b3656
commit 989e1ba
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/scripts/pi-hole/php/auth.php b/scripts/pi-hole/php/auth.php
@@ -83,7 +83,7 @@ function check_cors() {
         $server_origin = str_replace(array("[","]","http://","https://"), array("","","",""), $server_origin);
 
         if(!in_array($server_origin, $AUTHORIZED_HOSTNAMES)) {
-            log_and_die("Failed CORS: " . $server_origin .' vs '. join(', ', $AUTHORIZED_HOSTNAMES));
+            log_and_die("Failed CORS: " . htmlspecialchars($server_origin) .' vs '. join(', ', $AUTHORIZED_HOSTNAMES));
         }
         header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
     }
@@ -97,6 +97,11 @@ function check_csrf($token) {
         session_id() == "";
 
     if(!$session_started) {
+        // Start a new PHP session (or continue an existing one)
+        // Prevents javascript XSS attacks aimed to steal the session ID
+        ini_set('session.cookie_httponly', 1);
+        // Prevent Session ID from being passed through  URLs
+        ini_set('session.use_only_cookies', 1);
         session_start();
     }
 

diff --git a/scripts/pi-hole/php/password.php b/scripts/pi-hole/php/password.php
@@ -9,6 +9,10 @@
     require_once('func.php');
 
     // Start a new PHP session (or continue an existing one)
+    // Prevents javascript XSS attacks aimed to steal the session ID
+    ini_set('session.cookie_httponly', 1);
+    // Prevent Session ID from being passed through  URLs
+    ini_set('session.use_only_cookies', 1);
     session_start();
 
     // Read setupVars.conf file
@@ -39,7 +43,7 @@
     // Test if password is set
     if(strlen($pwhash) > 0)
     {
-        // Check for and authorize from persistent cookie 
+        // Check for and authorize from persistent cookie
         if (isset($_COOKIE["persistentlogin"]))
         {
             if (hash_equals($pwhash, $_COOKIE["persistentlogin"]))
@@ -61,6 +65,13 @@
             $postinput = hash('sha256',hash('sha256',$_POST["pw"]));
             if(hash_equals($pwhash, $postinput))
             {
+                // Regenerate session ID to prevent session fixation
+                session_regenerate_id();
+
+                // Clear the old session
+                $_SESSION = array();
+
+                // Set hash in new session
                 $_SESSION["hash"] = $pwhash;
 
                 // Login successful, redirect the user to the homepage to discard the POST request