Pihole 6 webserver exposes code from other files on webserver

Tone · March 6, 2025, 9:57pm

I updated to pihole 6 and noticed, that if I open https://127.0.0.1:8443 instead of https://127.0.0.1:8443/admin it shows the code from my index.php on my regular webserver.

This was kinda expected so I moved the pihole-web to /usr/share/pihole/pihole and defined webroot as /usr/share/pihole and subpath as /pihole/.
This worked, but now I read here that I can't use this setting, because everything is hardcoded in pihole.

Why is this option there than?
What is the offical workaround, so not everthing is exposed?

Of cause I'm using a reverse proxy, but it's still exposed in my local network.
Do I really have to work with iptables?
In my opinion this shouldn't be the case.

edit:
I kinda solved it with:

acl = "+127.0.0.1,+[::1]"
port = "127.0.0.1:8443s"

I'm still not a fan of the design choise.
The path for the webfiles really shouldn't be in /var/www/ if you are using your own webserver.

At least there has to be something in the webserver which blocks everything which isn't in the defined subpath.

rdwebdesign · March 6, 2025, 11:28pm

Not everything is hard coded.
Actually just a few places (scattered over all 3 repositories) still have hard coded paths. We are fixing it, but please be patient.

Tone · March 6, 2025, 11:33pm

ok, but the webserver should still block (or redirect) everything, which isn't in the defined subpath, for all the users who don't change the webroot.

Or there should be a new default path.

system · March 13, 2025, 11:33pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.