Merge pull request #974 from pi-hole/fix/admin-email-validation

Prevent command injection via admin email

scripts/pi-hole/php/savesettings.php

@@ -56,6 +56,16 @@ function validMAC($mac_addr)
   return (preg_match('/([a-fA-F0-9]{2}[:]?){6}/', $mac_addr) == 1);
 }
 
+function validEmail($email)
+{
+	return filter_var($email, FILTER_VALIDATE_EMAIL)
+		// Make sure that the email does not contain special characters which
+		// may be used to execute shell commands, even though they may be valid
+		// in an email address. If the escaped email does not equal the original
+		// email, it is not safe to store in setupVars.
+		&& escapeshellcmd($email) === $email;
+}
+
 $dhcp_static_leases = array();
 function readStaticLeasesFile()
 {
@@ -481,7 +491,7 @@ function readAdlists()
 				{
 					$adminemail = 'noadminemail';
 				}
-				elseif(!filter_var($adminemail, FILTER_VALIDATE_EMAIL) || strpos($adminemail, "'") !== false)
+				elseif(!validEmail($adminemail))
 				{
 					$error .= "Administrator email address (".htmlspecialchars($adminemail).") is invalid!<br>";
 				}