Replace mg.request_info.request_uri with the variable scriptname

rdwebdesign · rdwebdesign · commit 8c0f7853519c · 2025-10-19T18:44:52.000-03:00
The information from `mg.request_info.request_uri` depends on the URL typed
by the user. This information was used without any sanitization, allowing
an attacker to send crafted links containing anything, including javascript
code, which could be loaded and executed in a few pages.

Replacing this value with `scriptname` variable fixes the issue, since this
variable contains the name of the file currently being executed. This
information cannot be externally manipulated and it is safe to be used on
the page.

Signed-off-by: RD WebDesign &lt;github@rdwebdesign.com.br&gt;
diff --git a/error403.lp b/error403.lp
@@ -10,7 +10,7 @@
 mg.include('scripts/lua/header.lp','r')
 ?>
 </head>
-<body class="hold-transition layout-boxed login-page page-<?=pihole.format_path(mg.request_info.request_uri)?>">
+<body class="hold-transition layout-boxed login-page page-<?=pihole.format_path(scriptname)?>">
     <div class="box login-box">
         <section style="padding: 15px;">
                 <h2 class="error-headline text-danger">403</h2>
diff --git a/error404.lp b/error404.lp
@@ -10,7 +10,7 @@
 mg.include('scripts/lua/header.lp','r')
 ?>
 </head>
-<body class="hold-transition layout-boxed login-page page-<?=pihole.format_path(mg.request_info.request_uri)?>">
+<body class="hold-transition layout-boxed login-page page-<?=pihole.format_path(scriptname)?>">
     <div class="box login-box">
         <section style="padding: 15px;">
                 <h2 class="error-headline text-yellow">404</h2>
diff --git a/login.lp b/login.lp
@@ -10,7 +10,7 @@
 mg.include('scripts/lua/header.lp','r')
 ?>
 </head>
-<body class="hold-transition layout-boxed login-page page-<?=pihole.format_path(mg.request_info.request_uri)?>" data-apiurl="<?=pihole.api_url()?>" data-webhome="<?=webhome?>">
+<body class="hold-transition layout-boxed login-page page-<?=pihole.format_path(scriptname)?>" data-apiurl="<?=pihole.api_url()?>" data-webhome="<?=webhome?>">
 <div class="box login-box" id="login-box">
     <section style="padding: 15px;">
         <div class="login-logo">
diff --git a/scripts/lua/header_authenticated.lp b/scripts/lua/header_authenticated.lp
@@ -24,7 +24,7 @@ mg.include('header.lp','r')
     <script src="<?=pihole.fileversion('vendor/waitMe-js/modernized-waitme-min.js')?>"></script>
     <script src="<?=pihole.fileversion('scripts/js/logout.js')?>"></script>
 </head>
-<body class="<?=theme.name?> hold-transition sidebar-mini <? if pihole.boxedlayout() then ?>layout-boxed<? end ?> logged-in page-<?=pihole.format_path(mg.request_info.request_uri)?>" data-apiurl="<?=pihole.api_url()?>" data-webhome="<?=webhome?>">
+<body class="<?=theme.name?> hold-transition sidebar-mini <? if pihole.boxedlayout() then ?>layout-boxed<? end ?> logged-in page-<?=pihole.format_path(scriptname)?>" data-apiurl="<?=pihole.api_url()?>" data-webhome="<?=webhome?>">
 <noscript>
     <!-- JS Warning -->
     <div>
