From 4f2cee505e4f2e9b369a321063ff2c5e0c34ba45 Mon Sep 17 00:00:00 2001
From: namiltd <namiltd@users.noreply.github.com>
Date: Wed, 24 May 2023 10:39:48 +0200
Subject: [PATCH] Disable JSONP data mode by default for security reasons

---
 phpsysinfo.ini.new | 7 +++++++
 read_config.php    | 5 +++++
 2 files changed, 12 insertions(+)

diff --git a/phpsysinfo.ini.new b/phpsysinfo.ini.new
index f2c90f24..25b67c26 100644
--- a/phpsysinfo.ini.new
+++ b/phpsysinfo.ini.new
@@ -47,6 +47,13 @@ ADD_PATHS=false
 ;
 ALLOWED=false
 
+; Enable JSONP data mode (e.g. /phpsysinfo/xml.php?plugin=complete&jsonp&callback=getData)
+; Disabled by default for security reasons.
+; - false : JSONP data mode disabled
+; - true : JSONP data mode enabled
+;
+;JSONP=false
+
 ; List of sudo commands
 ; Example : SUDO_COMMANDS="iptables-save" //execute "sudo iptables-save" instead "iptables-save"
 ;           SUDO_COMMANDS=false //no sudo commands
diff --git a/read_config.php b/read_config.php
index 17d0683a..53fbf38e 100644
--- a/read_config.php
+++ b/read_config.php
@@ -89,6 +89,11 @@
         }
     }
 
+    if (isset($_GET['jsonp']) && (!defined('PSI_JSONP') || !PSI_JSONP)) {
+        echo "JSONP data mode not enabled in phpsysinfo.ini.";
+        die();
+    }
+
     /* default error handler */
     if (function_exists('errorHandlerPsi')) {
         restore_error_handler();