various pages accessible without being admin #465
Comments
koenbuyens
changed the title
|
This is intended behavior since the querying for which adlist contains a specific domain is done by the blocking page |
|
We opened up this function to unauthenticated users because, as mentioned, the block page uses this feature, and currently we don't think it leaks any sensitive information or requires authentication. |
|
Ah, missed that section, sorry. That should be protected. |
|
I think a decent compromise for securing Edit: Ah, you're probably right @Mcat12. Any block page would need to be modified to use |
|
Then the blocking page and web interface (via |
In raising this issue, I confirm the following (please check boxes, eg [X] - no spaces) Failure to fill the template will close your issue:
How familiar are you with the codebase?:
3
[FEATURE REQUEST | QUESTION | OTHER]:
Please submit your feature request here, so it is votable by the community. It's also easier for us to track.
[BUG | ISSUE] Expected Behaviour:
non-authenticated users should not be able to find ad domain in lists, access debug logs, etc.
[BUG | ISSUE] Actual Behaviour:
non-authenticated users can find ad domain in lists, access debug logs, etc
[BUG | ISSUE] Steps to reproduce:
Browse to http://pi.hole/admin/queryads/php Notice that one receives the login screen; i.e. one needs to be authenticated in order to view this page.
Browse to http://pi.hole/admin/scripts/pi-hole/php/queryads.php?domain=google.com and notice that one gets the result.
Browse to http://pi.hole/admin/scripts/pi-hole/php/debug.php?upload and notice that on gets debug logs.
(Optional) Debug token generated by
pihole -d:<token>This template was created based on the work of
udemy-dl.The text was updated successfully, but these errors were encountered: