Allowed properties cannot be NULL for some config item types. Add a c…

…heck for this during config parsing. Signed-off-by: DL6ER <[email protected]>
pi-hole · Feb 22, 2025 · 23683eb · 23683eb
1 parent b7060b7
commit 23683eb
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/src/config/config.c b/src/config/config.c
@@ -1015,6 +1015,7 @@ static void initConfig(struct config *conf)
 
 	conf->webserver.headers.k = "webserver.headers";
 	conf->webserver.headers.h = "Additional HTTP headers added to the web server responses.\n The headers are separated by a carriage return and a line feed (\\r\\n). The headers are added to all responses, including those for the API.\n Note about the default additional headers:\n - Content-Security-Policy: [...] 'unsafe-inline' is both required by Chart.js styling some elements directly, and index.html containing some inlined Javascript code.\n - X-Frame-Options: DENY: The page can not be displayed in a frame, regardless of the site attempting to do so.\n - X-Xss-Protection: 0: Disables XSS filtering in browsers that support it. This header is usually enabled by default in browsers, and is not recommended as it can hurt the security of the site. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).\n - X-Content-Type-Options: nosniff: Marker used by the server to indicate that the MIME types advertised in the  Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing. Site security testers usually expect this header to be set.\n - Referrer-Policy: strict-origin-when-cross-origin: A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.\n The latter four headers are set as expected by https://securityheaders.io";
+	conf->webserver.headers.a = cJSON_CreateStringReference("<valid HTTP headers>");
 	conf->webserver.headers.t = CONF_STRING;
 	conf->webserver.headers.d.s = (char*)"Content-Security-Policy: default-src 'self' 'unsafe-inline';\r\nX-Frame-Options: DENY\r\nX-XSS-Protection: 0\r\nX-Content-Type-Options: nosniff\r\nReferrer-Policy: strict-origin-when-cross-origin";
 	conf->webserver.headers.c = validate_stub; // Only type-based checking
@@ -1568,10 +1569,27 @@ static void initConfig(struct config *conf)
 		// Verify all config options are defined above
 		if(!conf_item->p || !conf_item->k || !conf_item->h || !conf_item->e || conf_item->t == 0)
 		{
-			log_err("Config option %u/%u is not fully configured!", i, (unsigned int)CONFIG_ELEMENTS);
+			log_err("Config option %u/%u (%s) is not fully configured!",
+			        i, (unsigned int)CONFIG_ELEMENTS, conf_item->k ? conf_item->k : "N/A");
 			continue;
 		}
 
+		// Verify config options with non-trivial type have allowed values
+		if(conf_item->t != CONF_BOOL &&
+		   conf_item->t != CONF_UINT &&
+		   conf_item->t != CONF_UINT16 &&
+		   conf_item->t != CONF_DOUBLE &&
+		   conf_item->t != CONF_INT &&
+		   conf_item->t != CONF_ALL_DEBUG_BOOL)
+		{
+			if(conf_item->a == NULL)
+			{
+				// At this point we know that conf_item->k is not NULL
+				log_err("Config option %s (type %u) has no allowed values!", conf_item->k, conf_item->t);
+				continue;
+			}
+		}
+
 		// Verify we have no default string pointers to NULL
 		if((conf_item->t == CONF_STRING || conf_item->t == CONF_STRING_ALLOCATED) && conf_item->d.s == NULL)
 		{