Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2026-04-22 17:59:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #974 from pi-hole/fix/admin-email-validation

Browse Source 
Prevent command injection via admin email
This commit is contained in:
Mark Drobnak
2019-07-02 21:49:26 -04:00
committed by Mcat12
parent c399043db4
commit bfe7b76f34
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
scripts/pi-hole/php/savesettings.php
View File

@@ -56,6 +56,16 @@ function validMAC($mac_addr)
return (preg_match('/([a-fA-F0-9]{2}[:]?){6}/', $mac_addr) == 1);
}
function validEmail($email)
{
return filter_var($email, FILTER_VALIDATE_EMAIL)
// Make sure that the email does not contain special characters which
// may be used to execute shell commands, even though they may be valid
// in an email address. If the escaped email does not equal the original
// email, it is not safe to store in setupVars.
&& escapeshellcmd($email) === $email;
}
$dhcp_static_leases = array();
function readStaticLeasesFile()
{
@@ -496,7 +506,7 @@ function readAdlists()
{
$adminemail = 'noadminemail';
}
elseif(!filter_var($adminemail, FILTER_VALIDATE_EMAIL) || strpos($adminemail, "'") !== false)
elseif(!validEmail($adminemail))
{
$error .= "Administrator email address (".htmlspecialchars($adminemail).") is invalid!<br>";
}