Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2026-04-24 18:59:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Prevent command injection via admin email

Browse Source 
Signed-off-by: Mcat12 <newtoncat12@yahoo.com>
This commit is contained in:
Mcat12
2019-07-01 20:17:10 -07:00
parent 392802687d
commit f7905167c0
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
scripts/pi-hole/php/savesettings.php
View File

@@ -56,6 +56,16 @@ function validMAC($mac_addr)
return (preg_match('/([a-fA-F0-9]{2}[:]?){6}/', $mac_addr) == 1);
}
function validEmail($email)
{
return filter_var($email, FILTER_VALIDATE_EMAIL)
// Make sure that the email does not contain special characters which
// may be used to execute shell commands, even though they may be valid
// in an email address. If the escaped email does not equal the original
// email, it is not safe to store in setupVars.
&& escapeshellcmd($email) === $email;
}
$dhcp_static_leases = array();
function readStaticLeasesFile()
{
@@ -481,7 +491,7 @@ function readAdlists()
{
$adminemail = 'noadminemail';
}
elseif(!filter_var($adminemail, FILTER_VALIDATE_EMAIL) || strpos($adminemail, "'") !== false)
elseif(!validEmail($adminemail))
{
$error .= "Administrator email address (".htmlspecialchars($adminemail).") is invalid!<br>";
}