diff --git a/files/routes/admin.py b/files/routes/admin.py index d640a2b46..67d3aa463 100644 --- a/files/routes/admin.py +++ b/files/routes/admin.py @@ -1,4 +1,5 @@ import time +import re from os import remove from PIL import Image as IMAGE @@ -520,8 +521,28 @@ def admin_home(v): else: response = requests.get(f'https://api.cloudflare.com/client/v4/zones/{CF_ZONE}/settings/security_level', headers=CF_HEADERS, timeout=5).json()['result']['value'] under_attack = response == 'under_attack' - return render_template("admin/admin_home.html", v=v, under_attack=under_attack, site_settings=app.config['SETTINGS']) + gitref = admin_git_head() + + return render_template("admin/admin_home.html", v=v, + under_attack=under_attack, + site_settings=app.config['SETTINGS'], + gitref=gitref) +def admin_git_head(): + short_len = 12 + # Note: doing zero sanitization. Git branch names are extremely permissive. + # However, they forbid '..', so I don't see an obvious dir traversal attack. + # Also, a malicious branch name would mean someone already owned the server + # or repo, so I think this isn't a weak link. + try: + with open('.git/HEAD') as head_f: + head_txt = head_f.read() + head_path = re.match('ref: (refs/.+)', head_txt).group(1) + with open('.git/' + head_path) as ref_f: + gitref = ref_f.read()[0:short_len] + except: + return '' + return gitref @app.post("/admin/site_settings/") @admin_level_required(3) diff --git a/files/templates/admin/admin_home.html b/files/templates/admin/admin_home.html index 455845e28..eae08bb84 100644 --- a/files/templates/admin/admin_home.html +++ b/files/templates/admin/admin_home.html @@ -85,7 +85,12 @@ - + {% endif %} +

Server Status

+
+ Live Revision: {{ gitref }}
+
+ {% endblock %} \ No newline at end of file