From 1664090a011f5ffe160416078a54ff972f12e069 Mon Sep 17 00:00:00 2001
From: Adam Warner <me@adamwarner.co.uk>
Date: Wed, 23 Jun 2021 17:34:43 +0100
Subject: [PATCH] Escape `.` in regex for validDomainWildcard to ensure
 malicious commands cannot be passed to the function

bonus, removed some trailing whitespace on line 30

Signed-off-by: Adam Warner <me@adamwarner.co.uk>
---
 scripts/pi-hole/php/savesettings.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/pi-hole/php/savesettings.php b/scripts/pi-hole/php/savesettings.php
index f85d5a4e..36f8def4 100644
--- a/scripts/pi-hole/php/savesettings.php
+++ b/scripts/pi-hole/php/savesettings.php
@@ -27,7 +27,7 @@ function validCIDRIP($address){
 		$v6elem = "[0-9A-Fa-f]{1,4}";
 		// CIDR for IPv6 is any multiple of 4 from 4 up to 128 bit
 		$v6cidr = "(4";
-		for ($i=8; $i <= 128; $i+=4) { 
+		for ($i=8; $i <= 128; $i+=4) {
 			$v6cidr .= "|$i";
 		}
 		$v6cidr .= ")";
@@ -68,7 +68,7 @@ function validDomain($domain_name)
 function validDomainWildcard($domain_name)
 {
 	// There has to be either no or at most one "*" at the beginning of a line
-	$validChars = preg_match("/^((\*.)?[_a-z\d](-*[_a-z\d])*)(\.([_a-z\d](-*[a-z\d])*))*(\.([_a-z\d])*)*$/i", $domain_name);
+	$validChars = preg_match("/^((\*\.)?[_a-z\d](-*[_a-z\d])*)(\.([_a-z\d](-*[a-z\d])*))*(\.([_a-z\d])*)*$/i", $domain_name);
 	$lengthCheck = preg_match("/^.{1,253}$/", $domain_name);
 	$labelLengthCheck = preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $domain_name);
 	return ( $validChars && $lengthCheck && $labelLengthCheck ); //length of each label