mirror of
https://github.com/pi-hole/FTL.git
synced 2026-07-04 10:45:03 +01:00
6536754ab9
The PID file path was previously user-configurable via files.pid in
pihole.toml. Service hook scripts executed as root read this value
without validation and used it in privileged file operations, enabling
local privilege escalation by a pihole user with direct write access
to pihole.toml.
Remove files.pid from the config system entirely and replace all
usages with the compile-time constant FTL_PID_FILE ("/run/pihole-FTL.pid")
defined in config.h. The PID file path has no good reason to be
user-configurable.
See: GHSA-6w8x-p785-6pm4
Signed-off-by: yubiuser <github@yubiuser.dev>