From f7905167c022480f8f2518d0ea66b221a4e52cd7 Mon Sep 17 00:00:00 2001 From: Mcat12 Date: Mon, 1 Jul 2019 20:17:10 -0700 Subject: [PATCH] Prevent command injection via admin email Signed-off-by: Mcat12 --- scripts/pi-hole/php/savesettings.php | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/scripts/pi-hole/php/savesettings.php b/scripts/pi-hole/php/savesettings.php index ed7f2556..885b39fc 100644 --- a/scripts/pi-hole/php/savesettings.php +++ b/scripts/pi-hole/php/savesettings.php @@ -56,6 +56,16 @@ function validMAC($mac_addr) return (preg_match('/([a-fA-F0-9]{2}[:]?){6}/', $mac_addr) == 1); } +function validEmail($email) +{ + return filter_var($email, FILTER_VALIDATE_EMAIL) + // Make sure that the email does not contain special characters which + // may be used to execute shell commands, even though they may be valid + // in an email address. If the escaped email does not equal the original + // email, it is not safe to store in setupVars. + && escapeshellcmd($email) === $email; +} + $dhcp_static_leases = array(); function readStaticLeasesFile() { @@ -481,7 +491,7 @@ function readAdlists() { $adminemail = 'noadminemail'; } - elseif(!filter_var($adminemail, FILTER_VALIDATE_EMAIL) || strpos($adminemail, "'") !== false) + elseif(!validEmail($adminemail)) { $error .= "Administrator email address (".htmlspecialchars($adminemail).") is invalid!
"; }