Merge pull request #2829 from pi-hole/master

PromoFaux · web-flow · commit 348647067c46 · 2026-04-03T16:57:10.000+01:00
Sync master back into development
diff --git a/src/api/teleporter.c b/src/api/teleporter.c
@@ -229,6 +229,15 @@ static int api_teleporter_POST(struct ftl_conn *api)
 		                       "The current app session is not allowed to modify Pi-hole config settings (webserver.api.app_sudo is false)");
 	}
 
+	// Check if this is a CLI session and reject the request
+	if(api->session != NULL && api->session->cli)
+	{
+		return send_json_error(api, 403,
+		                       "forbidden",
+		                       "Unable to change configuration (read-only)",
+		                       "The current CLI session is not allowed to modify Pi-hole config settings");
+	}
+
 	struct upload_data data;
 	memset(&data, 0, sizeof(struct upload_data));
 	const struct mg_request_info *req_info = mg_get_request_info(api->conn);
diff --git a/test/api/checkAPI.py b/test/api/checkAPI.py
@@ -17,6 +17,7 @@
 from libs.responseVerifyer import ResponseVerifyer
 
 TRACE = False
+CLI_PW_FILE = "/etc/pihole/cli_pw"
 
 def main():
 	# OpenAPI specs are split into multiple files, this script extracts the endpoints from them
@@ -101,6 +102,33 @@ def main():
 			errs[2] += len(errors)
 		print("")
 
+	# Verify that Teleporter import is blocked for CLI sessions
+	print("Verifying FTL Teleporter import is blocked for CLI sessions...")
+	try:
+		with open(CLI_PW_FILE, "r", encoding="utf-8") as file:
+			cli_password = file.read().strip()
+	except FileNotFoundError:
+		cli_password = None
+
+	if cli_password is None or len(cli_password) == 0:
+		print("  Skipping (no CLI password available)")
+	else:
+		try:
+			ftl_cli = FTLAPI("http://127.0.0.1", cli_password)
+			response = ftl_cli.POST("/api/teleporter", json_data=None, files={"file": ('teleporter.zip', teleporter, 'application/zip')})
+			if response is None:
+				print("  Error: no response from FTL API")
+				errs[2] += 1
+			elif "error" not in response or response["error"].get("key") != "forbidden":
+				print("  Error: expected forbidden error, got: " + str(response))
+				errs[2] += 1
+			else:
+				print("  POST /api/teleporter (CLI session): OK (blocked)")
+		except Exception as e:
+			print("  Exception: " + str(e))
+			errs[2] += 1
+	print("")
+
 	# Print the number error (if any)
 	if errs[0] > 0:
 		print("Found " + str(errs[0]) + " non-implemented endpoints")
