Merge pull request #2296 from pi-hole/development

Pi-hole FTL v6.0.3
pi-hole · Feb 28, 2025 · 37f9a96 · 37f9a96
2 parents ac500d5 + f0a4ac1
commit 37f9a96
Show file tree

Hide file tree

Showing 39 changed files with 541 additions and 235 deletions.
diff --git a/patch/civetweb.sh b/patch/civetweb.sh
@@ -20,4 +20,7 @@ patch -p1 < patch/civetweb/0001-Register-CSRF-token-in-conn-request_info.patch
 echo "Applying patch 0001-Log-debug-messages-to-webserver.log-when-debug.webse.patch"
 patch -p1 < patch/civetweb/0001-Log-debug-messages-to-webserver.log-when-debug.webse.patch
 
+echo "Applying patch 0001-Expose-bound-to-addresses-from-CivetWeb-to-the-front.patch"
+patch -p1 < patch/civetweb/0001-Expose-bound-to-addresses-from-CivetWeb-to-the-front.patch
+
 echo "ALL PATCHES APPLIED OKAY"
diff --git a/patch/civetweb/0001-Expose-bound-to-addresses-from-CivetWeb-to-the-front.patch b/patch/civetweb/0001-Expose-bound-to-addresses-from-CivetWeb-to-the-front.patch
@@ -0,0 +1,50 @@
+From 0bee9e9f7942c5b73a715eaeadf5ab2d09a8c74d Mon Sep 17 00:00:00 2001
+From: DL6ER <[email protected]>
+Date: Sat, 22 Feb 2025 18:33:25 +0100
+Subject: [PATCH] Expose bound-to addresses from CivetWeb to the frontend
+
+Signed-off-by: DL6ER <[email protected]>
+---
+ src/webserver/civetweb/civetweb.c | 1 +
+ src/webserver/civetweb/civetweb.h | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/src/webserver/civetweb/civetweb.c b/src/webserver/civetweb/civetweb.c
+index fa908e54..66fcab01 100644
+--- a/src/webserver/civetweb/civetweb.c
++++ b/src/webserver/civetweb/civetweb.c
+@@ -3339,6 +3339,7 @@ mg_get_server_ports(const struct mg_context *ctx,
+ 		ports[cnt].is_ssl = ctx->listening_sockets[i].is_ssl;
+ 		ports[cnt].is_redirect = ctx->listening_sockets[i].ssl_redir;
+ 		ports[cnt].is_optional = ctx->listening_sockets[i].is_optional;
++		memcpy(&ports[cnt].addr, &ctx->listening_sockets[i].lsa, sizeof(ports[cnt].addr));
+
+ 		if (ctx->listening_sockets[i].lsa.sa.sa_family == AF_INET) {
+ 			/* IPv4 */
+diff --git a/src/webserver/civetweb/civetweb.h b/src/webserver/civetweb/civetweb.h
+index eee958b4..6dcfa457 100644
+--- a/src/webserver/civetweb/civetweb.h
++++ b/src/webserver/civetweb/civetweb.h
+@@ -23,6 +23,8 @@
+ #ifndef CIVETWEB_HEADER_INCLUDED
+ #define CIVETWEB_HEADER_INCLUDED
+
++#include <netinet/in.h> /* Pi-hole extension */
++
+ #define CIVETWEB_VERSION "1.17"
+ #define CIVETWEB_VERSION_MAJOR (1)
+ #define CIVETWEB_VERSION_MINOR (17)
+@@ -721,6 +723,10 @@ struct mg_server_port {
+ 	int _reserved2;
+ 	int _reserved3;
+ 	int _reserved4;
++   union {
++     struct sockaddr_in sa4; /* Pi-hole extension */
++     struct sockaddr_in6 sa6; /* Pi-hole extension */
++   } addr;
+ };
+
+ /* Legacy name */
+-- 
+2.43.0
+
diff --git a/src/FTL.h b/src/FTL.h
@@ -59,11 +59,11 @@
 #define MAXITER 1000
 
 // How many hours do we want to store in FTL's memory? [hours]
-#define MAXLOGAGE 24
+#define MAXLOGAGE 24u
 
 // Interval for overTime data [seconds]
 // Default: 600 (10 minutes)
-#define OVERTIME_INTERVAL 600
+#define OVERTIME_INTERVAL 600u
 
 // How many overTime slots do we need?
 // This is the maximum log age divided by the overtime interval

diff --git a/src/api/2fa.c b/src/api/2fa.c
@@ -13,8 +13,6 @@
 #include "webserver/json_macros.h"
 #include "log.h"
 #include "config/config.h"
-// getrandom()
-#include "daemon.h"
 // generate_password()
 #include "config/password.h"
 
@@ -269,10 +267,8 @@ int generateTOTP(struct ftl_conn *api)
 {
 	// Generate random secret using the system's random number generator
 	uint8_t random_secret[RFC6238_SECRET_LEN];
-	if(getrandom(random_secret, sizeof(random_secret), 0) < (ssize_t)sizeof(random_secret))
-	{
+	if(!get_secure_randomness(random_secret, sizeof(random_secret)))
 		return send_json_error(api, 500, "internal_error", "Failed to generate random secret", strerror(errno));
-	}
 
 	// Encode base32 secret
 	const size_t base32_len = sizeof(random_secret)*8/5+1;

diff --git a/src/api/auth.c b/src/api/auth.c
@@ -401,7 +401,7 @@ static int send_api_auth_status(struct ftl_conn *api, const int user_id, const t
 			const int code = delete_session(user_id) ? 204 : 404;
 
 			// Send empty reply with appropriate HTTP status code
-			send_http_code(api, "application/json; charset=utf-8", code, "");
+			send_http_code(api, NULL, code, "");
 			return code;
 		}
 		else
@@ -435,11 +435,9 @@ static int send_api_auth_status(struct ftl_conn *api, const int user_id, const t
 static void generateSID(char *sid)
 {
 	uint8_t raw_sid[SID_SIZE];
-	if(getrandom(raw_sid, sizeof(raw_sid), 0) < 0)
-	{
-		log_err("getrandom() failed in generateSID()");
+	if(!get_secure_randomness(raw_sid, sizeof(raw_sid)))
 		return;
-	}
+
 	base64_encode_raw(NETTLE_SIGN sid, SID_BITSIZE/8, raw_sid);
 	sid[SID_SIZE-1] = '\0';
 }

diff --git a/src/api/config.c b/src/api/config.c
@@ -1008,6 +1008,7 @@ static int api_config_put_delete(struct ftl_conn *api)
 			if(!new_item->c(&new_item->v, new_item->k, errbuf))
 			{
 				free_config(&newconf);
+				free_config_path(requested_path);
 				return send_json_error(api, 400,
 				                       "bad_request",
 				                       "Invalid value",
@@ -1032,13 +1033,15 @@ static int api_config_put_delete(struct ftl_conn *api)
 	// Error 404 if config element not found
 	if(!found)
 	{
+		free_config(&newconf);
 		cJSON *json = JSON_NEW_OBJECT();
 		JSON_SEND_OBJECT_CODE(json, 404);
 	}
 
 	// Error 400 if unique item already present
 	if(message != NULL)
 	{
+		free_config(&newconf);
 		return send_json_error(api, 400,
 		                       "bad_request",
 		                       message,
@@ -1081,8 +1084,17 @@ static int api_config_put_delete(struct ftl_conn *api)
 
 	// Send empty reply with matching HTTP status code
 	// 201 - Created or 204 - No content
-	cJSON *json = JSON_NEW_OBJECT();
-	JSON_SEND_OBJECT_CODE(json, api->method == HTTP_PUT ? 201 : 204);
+	if(api->method == HTTP_PUT)
+	{
+		cJSON *json = JSON_NEW_OBJECT();
+		JSON_SEND_OBJECT_CODE(json, 201);
+	}
+	else
+	{
+		// 204 - No content
+		send_http_code(api, NULL, 204, "");
+		return 204;
+	}
 }
 
 // Endpoint /api/config router

diff --git a/src/api/docs/content/specs/clients.yaml b/src/api/docs/content/specs/clients.yaml
@@ -55,8 +55,8 @@ components:
                   - $ref: 'clients.yaml#/components/schemas/clients/put'
                   - $ref: 'common.yaml#/components/schemas/took'
         responses:
-          '201':
-            description: Created item
+          '200':
+            description: Created or Updated Item
             content:
               application/json:
                 schema:

diff --git a/src/api/docs/content/specs/config.yaml b/src/api/docs/content/specs/config.yaml
@@ -409,6 +409,10 @@ components:
                   type: string
                 threads:
                   type: integer
+                headers:
+                  type: array
+                  items:
+                    type: string
                 session:
                   type: object
                   properties:
@@ -744,6 +748,12 @@ components:
             acl: "+0.0.0.0/0,::/0"
             port: 80,[::]:80
             threads: 0
+            headers:
+              - "Content-Security-Policy: default-src 'self' 'unsafe-inline';"
+              - "X-Frame-Options: DENY"
+              - "X-XSS-Protection: 0"
+              - "X-Content-Type-Options: nosniff"
+              - "Referrer-Policy: strict-origin-when-cross-origin"
             session:
               timeout: 300
               restore: true

diff --git a/src/api/docs/content/specs/domains.yaml b/src/api/docs/content/specs/domains.yaml
@@ -79,8 +79,8 @@ components:
                   - $ref: 'domains.yaml#/components/schemas/domains/put'
                   - $ref: 'common.yaml#/components/schemas/took'
         responses:
-          '201':
-            description: Created domain
+          '200':
+            description: Created or Updated domain
             content:
               application/json:
                 schema:

diff --git a/src/api/docs/content/specs/groups.yaml b/src/api/docs/content/specs/groups.yaml
@@ -54,8 +54,8 @@ components:
               schema:
                 $ref: 'groups.yaml#/components/schemas/groups/put'
         responses:
-          '201':
-            description: Created item
+          '200':
+            description: Created or Updated Item
             content:
               application/json:
                 schema:

diff --git a/src/api/docs/content/specs/history.yaml b/src/api/docs/content/specs/history.yaml
@@ -8,7 +8,7 @@ components:
           - Metrics
         operationId: "get_activity_metrics"
         description: |
-          Request data needed to generate the \"Query over last 24 hours\" graph. The sum of the values in the individual data arrays may be smaller than the total number of queries for the corresponding timestamp. The remaining queries are queries that do not fit into the shown categories (e.g. database busy, unknown status queries, etc.).
+          Request data needed to generate the total queries over time graph. The sum of the values in the individual data arrays may be smaller than the total number of queries for the corresponding timestamp. The remaining queries are queries that do not fit into the shown categories (e.g. database busy, unknown status queries, etc.).
         responses:
           '200':
             description: OK

diff --git a/src/api/docs/content/specs/lists.yaml b/src/api/docs/content/specs/lists.yaml
@@ -54,8 +54,8 @@ components:
               schema:
                 $ref: 'lists.yaml#/components/schemas/lists/put'
         responses:
-          '201':
-            description: Created item
+          '200':
+            description: Created or Updated Item
             content:
               application/json:
                 schema:

diff --git a/src/api/history.c b/src/api/history.c
@@ -18,14 +18,17 @@
 #include "overTime.h"
 // config struct
 #include "config/config.h"
+// get_max_overtime_slot()
+#include "gc.h"
 
 int api_history(struct ftl_conn *api)
 {
 	lock_shm();
 
-	// Loop over all overTime slots and add them to the array
 	cJSON *history = JSON_NEW_ARRAY();
-	for(unsigned int slot = 0; slot < OVERTIME_SLOTS; slot++)
+	const unsigned int max_slot = get_max_overtime_slot();
+	// Loop over all overTime slots and add them to the array
+	for(unsigned int slot = 0; slot <= max_slot; slot++)
 	{
 		cJSON *item = JSON_NEW_OBJECT();
 		JSON_ADD_NUMBER_TO_OBJECT(item, "timestamp", overTime[slot].timestamp);
@@ -148,7 +151,8 @@ int api_history_clients(struct ftl_conn *api)
 	int others_total = 0;
 
 	cJSON *history = JSON_NEW_ARRAY();
-	for(unsigned int slot = 0; slot < OVERTIME_SLOTS; slot++)
+	const unsigned int max_slot = get_max_overtime_slot();
+	for(unsigned int slot = 0; slot <= max_slot; slot++)
 	{
 		cJSON *item = JSON_NEW_OBJECT();
 		JSON_ADD_NUMBER_TO_OBJECT(item, "timestamp", overTime[slot].timestamp);

diff --git a/src/api/info.c b/src/api/info.c
@@ -974,16 +974,9 @@ static int api_info_messages_DELETE(struct ftl_conn *api)
 		char *endptr = NULL;
 		long int idval = strtol(token, &endptr, 10);
 		if(errno != 0 || endptr == token || *endptr != '\0' || idval < 0)
-		{
-			// Send error reply
-			free(id);
-			return send_json_error(api, 400, // 400 Bad Request
-			                       "uri_error",
-			                       "Invalid ID in path",
-			                       api->action_path);
-		}
-
-		cJSON_AddNumberToObject(ids, "id", idval);
+			log_warn("API: URI error - skipping invalid ID in path (%s): %s", api->action_path, token);
+		else
+			cJSON_AddNumberToArray(ids, idval);
 
 		// Get next token
 		token = strtok_r(NULL, ",", &saveptr);