From 1664090a011f5ffe160416078a54ff972f12e069 Mon Sep 17 00:00:00 2001
From: Adam Warner <me@adamwarner.co.uk>
Date: Wed, 23 Jun 2021 17:34:43 +0100
Subject: [PATCH 1/2] Escape `.` in regex for validDomainWildcard to ensure
 malicious commands cannot be passed to the function

bonus, removed some trailing whitespace on line 30

Signed-off-by: Adam Warner <me@adamwarner.co.uk>
---
 scripts/pi-hole/php/savesettings.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/pi-hole/php/savesettings.php b/scripts/pi-hole/php/savesettings.php
index f85d5a4e..36f8def4 100644
--- a/scripts/pi-hole/php/savesettings.php
+++ b/scripts/pi-hole/php/savesettings.php
@@ -27,7 +27,7 @@ function validCIDRIP($address){
 		$v6elem = "[0-9A-Fa-f]{1,4}";
 		// CIDR for IPv6 is any multiple of 4 from 4 up to 128 bit
 		$v6cidr = "(4";
-		for ($i=8; $i <= 128; $i+=4) { 
+		for ($i=8; $i <= 128; $i+=4) {
 			$v6cidr .= "|$i";
 		}
 		$v6cidr .= ")";
@@ -68,7 +68,7 @@ function validDomain($domain_name)
 function validDomainWildcard($domain_name)
 {
 	// There has to be either no or at most one "*" at the beginning of a line
-	$validChars = preg_match("/^((\*.)?[_a-z\d](-*[_a-z\d])*)(\.([_a-z\d](-*[a-z\d])*))*(\.([_a-z\d])*)*$/i", $domain_name);
+	$validChars = preg_match("/^((\*\.)?[_a-z\d](-*[_a-z\d])*)(\.([_a-z\d](-*[a-z\d])*))*(\.([_a-z\d])*)*$/i", $domain_name);
 	$lengthCheck = preg_match("/^.{1,253}$/", $domain_name);
 	$labelLengthCheck = preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $domain_name);
 	return ( $validChars && $lengthCheck && $labelLengthCheck ); //length of each label

From 8066069a1f6d5f59d8adb2a71e4c38ebb336194c Mon Sep 17 00:00:00 2001
From: Adam Warner <me@adamwarner.co.uk>
Date: Fri, 23 Jul 2021 18:47:37 +0100
Subject: [PATCH 2/2] Prevent arbritary js code from beign returned from the
 database

Signed-off-by: Adam Warner <me@adamwarner.co.uk>
---
 scripts/pi-hole/php/groups.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/scripts/pi-hole/php/groups.php b/scripts/pi-hole/php/groups.php
index af138d9c..04ae8291 100644
--- a/scripts/pi-hole/php/groups.php
+++ b/scripts/pi-hole/php/groups.php
@@ -510,6 +510,9 @@ if ($_POST['action'] == 'get_groups') {
                     $res['domain'] = $utf8_domain.' ('.$res['domain'].')';
                 }
             }
+            // Prevent domain and comment fields from returning any arbitary javascript code which could be executed on the browser.
+            $res['domain'] = htmlentities($res['domain']);
+            $res['comment'] = htmlentities($res['comment']);
             array_push($data, $res);
         }