Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2026-04-25 11:19:59 +01:00
Code Issues Packages Projects Releases Wiki Activity

Prevent possible attacks via admin email setting

Browse Source 
The admin email is now treated as a single string (surrounded by single
quotes), and it is not allowed to contain its own single quotes.

Signed-off-by: Mcat12 <newtoncat12@yahoo.com>
This commit is contained in:
Mcat12
2018-11-23 14:35:43 -05:00
parent 738cf0479f
commit 13c29336b2
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
scripts/pi-hole/php/savesettings.php
View File

@@ -476,13 +476,13 @@ function readAdlists()
{
$adminemail = 'noadminemail';
}
elseif(!filter_var($adminemail, FILTER_VALIDATE_EMAIL))
elseif(!filter_var($adminemail, FILTER_VALIDATE_EMAIL) || strpos($adminemail, "'") !== false)
{
$error .= "Administrator email address (".htmlspecialchars($adminemail).") is invalid!<br>";
}
else
{
exec('sudo pihole -a -e '.$adminemail);
exec('sudo pihole -a -e \''.$adminemail.'\'');
}
if(isset($_POST["boxedlayout"]))
{