Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CSRF token #466

Merged
merged 6 commits into from
Apr 6, 2017
Merged

Add CSRF token #466

merged 6 commits into from
Apr 6, 2017

Conversation

AzureMarker
Copy link
Contributor

By submitting this pull request, I confirm the following (please check boxes, eg [X] - no spaces) Failure to fill the template will close your PR:

Please submit all pull requests against the development branch. Failure to do so will delay or deny your request

  • I have read and understood the contributors guide.
  • I have checked that another pull request for this purpose does not exist.
  • I have considered, and confirmed that this submission will be valuable to others.
  • I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
  • I give this submission freely, and claim no ownership to its content.

How familiar are you with the codebase?:

10

Fix #463 and #465 by adding a CSRF token requirement to settings page actions and securing the debug log.

This template was created based on the work of udemy-dl.

@AzureMarker AzureMarker requested a review from DL6ER April 3, 2017 00:07
@AzureMarker AzureMarker changed the title Fix/csrf security Add CSRF token Apr 3, 2017
DL6ER
DL6ER requested changes Apr 3, 2017
View reviewed changes
settings.php Outdated
@@ -863,6 +871,7 @@ function get_FTL_data($arg)
<label for="zip_file">File input</label>
<input type="file" name="zip_file" id="zip_file">
<p class="help-block">Upload only Pi-hole backup files.</p>
<input type="hidden" name="token" value="<?php echo $token ?>">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sends the token only for Import but not Export (23 lines further up). Also note that this form's action is scripts/pi-hole/php/teleporter.php which does not check the CSRF token at all

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's under the same <form> tag, so I think it does send the token. I added the CSRF check to teleporter and relocated the token just to be sure.

@DL6ER
Copy link
Member

DL6ER commented Apr 5, 2017

Approved

@AzureMarker AzureMarker merged commit 52a5fb6 into devel Apr 6, 2017
@AzureMarker AzureMarker deleted the fix/csrf-security branch April 6, 2017 20:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DL6ER DL6ER DL6ER approved these changes

Assignees
No one assigned
Labels
Bugfix Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AzureMarker @DL6ER