Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update api.php?setTempUnit function to require authentication #3077

Merged
merged 1 commit into from
Jul 22, 2024
Merged

Update api.php?setTempUnit function to require authentication #3077

merged 1 commit into from
Jul 22, 2024

Conversation

kiyell
Copy link

@kiyell kiyell commented Jul 16, 2024
edited
Loading

Thank you for your contribution to the Pi-hole Community!

Please read the comments below to help us consider your Pull Request.

We are all volunteers and completing the process outlined will help us review your commits quicker.

Please make sure you

  1. Base your code and PRs against the repositories developmental branch.
  2. Sign Off all commits as we enforce the DCO for all contributions
  3. Sign all your commits as they must have verified signatures
  4. File a pull request for any change that requires changes to our documentation at our documentation repo

What does this PR aim to accomplish?:

There was a lack of a check to the $auth variable. This allowed any unauthenticated user to change the CPU temperature unit displayed of the pi-hole application. Adding the check of this variable fixes this issue.

The absence of authentication of this function was deemed not a security risk but maintainers were open to a potential merge depending on the release of v6.

Report: https://github.com/pi-hole/web/security/advisories/GHSA-mffw-5jmg-9wjq

How does this PR accomplish the above?:

Added && $auth authorization check before using setTempUnit parameter to change temperature.

Link documentation PRs if any are needed to support this PR:

N/A

By submitting this pull request, I confirm the following:

  1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
  2. I have commented my proposed changes within the code and I have tested my changes.
  3. I am willing to help maintain this change if there are issues with it later.
  4. It is compatible with the EUPL 1.2 license
  5. I have squashed any insignificant commits. (git rebase)
  6. I have checked that another pull request for this purpose does not exist.
  7. I have considered, and confirmed that this submission will be valuable to others.
  8. I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
  9. I give this submission freely, and claim no ownership to its content.
  • I have read the above and my PR is ready for review. Check this box to confirm

@kiyell
Update api.php?setTempUnit function to require authentication
50a22f8 
There was a lack of a check to the $auth variable. This allowed any unauthenticated user to change the temperature unit of the pi-hole application. Adding the check of this variable fixes this issue.

The absence of authentication of this function was deemed not a security risk but maintainers were open to a potential merge depending on the release of v6.

Report: https://github.com/pi-hole/web/security/advisories/GHSA-mffw-5jmg-9wjq

Signed-off-by: kiyell <kysoftware@gmail.com>
@yubiuser yubiuser requested a review from a team July 17, 2024 20:12
@PromoFaux PromoFaux merged commit 0fe05b3 into pi-hole:devel Jul 22, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yubiuser yubiuser yubiuser approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kiyell @yubiuser @PromoFaux