blob: 6bed16996d208c6981b26d37f428b59a2d2a249c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From 4f2cee505e4f2e9b369a321063ff2c5e0c34ba45 Mon Sep 17 00:00:00 2001
From: namiltd <namiltd@users.noreply.github.com>
Date: Wed, 24 May 2023 10:39:48 +0200
Subject: [PATCH] Disable JSONP data mode by default for security reasons
---
phpsysinfo.ini.new | 7 +++++++
read_config.php | 5 +++++
2 files changed, 12 insertions(+)
diff --git a/phpsysinfo.ini.new b/phpsysinfo.ini.new
index f2c90f24..25b67c26 100644
--- a/phpsysinfo.ini.new
+++ b/phpsysinfo.ini.new
@@ -47,6 +47,13 @@ ADD_PATHS=false
;
ALLOWED=false
+; Enable JSONP data mode (e.g. /phpsysinfo/xml.php?plugin=complete&jsonp&callback=getData)
+; Disabled by default for security reasons.
+; - false : JSONP data mode disabled
+; - true : JSONP data mode enabled
+;
+;JSONP=false
+
; List of sudo commands
; Example : SUDO_COMMANDS="iptables-save" //execute "sudo iptables-save" instead "iptables-save"
; SUDO_COMMANDS=false //no sudo commands
diff --git a/read_config.php b/read_config.php
index 17d0683a..53fbf38e 100644
--- a/read_config.php
+++ b/read_config.php
@@ -89,6 +89,11 @@
}
}
+ if (isset($_GET['jsonp']) && (!defined('PSI_JSONP') || !PSI_JSONP)) {
+ echo "JSONP data mode not enabled in phpsysinfo.ini.";
+ die();
+ }
+
/* default error handler */
if (function_exists('errorHandlerPsi')) {
restore_error_handler();
|
