Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent command injection via admin email #974

Merged
merged 1 commit into from Jul 3, 2019

Conversation

@Mcat12
Copy link
Member

commented Jul 2, 2019

By submitting this pull request, I confirm the following:

  • I have read and understood the contributors guide, as well as this entire template.
  • I have made only one major change in my proposed changes.
  • I have commented my proposed changes within the code.
  • I have tested my proposed changes.
  • I am willing to help maintain this change if there are issues with it later.
  • I give this submission freely and claim no ownership.
  • It is compatible with the EUPL 1.2 license
  • I have squashed any insignificant commits. (git rebase)
  • I have Signed Off all commits. (git commit --signoff)

What does this PR aim to accomplish?:
Prevent a possible command injection via the admin email. Credit goes to Christos Pierris (@pr0tean) for finding the bug.

How does this PR accomplish the above?:
Perform extra validation on the input email.

What documentation changes (if any) are needed to support this PR?:
None

Signed-off-by: Mcat12 <newtoncat12@yahoo.com>
@Mcat12 Mcat12 added the Bugfix label Jul 2, 2019
@Mcat12 Mcat12 added this to the v5.0 milestone Jul 2, 2019
@Mcat12 Mcat12 requested a review from pi-hole/web-approvers Jul 2, 2019
@DL6ER
DL6ER approved these changes Jul 2, 2019
Copy link
Member

left a comment

Following characters are preceded by a backslash: &#;|*?~<>^()[]{}$, \x0A and \xFF. 'and"` are escaped only if they are not paired.

This will allow @ to pass through and this is the only thing needed here.

@Mcat12 Mcat12 merged commit 00d9b3d into devel Jul 3, 2019
2 checks passed
2 checks passed
CodeFactor No issues found.
Details
DCO DCO
Details
@Mcat12 Mcat12 deleted the fix/admin-email-validation branch Jul 3, 2019
Mcat12 added a commit that referenced this pull request Sep 12, 2019
Prevent command injection via admin email
@Mcat12 Mcat12 modified the milestones: v5.0, v4.3.2 Sep 12, 2019
Mcat12 added a commit that referenced this pull request Sep 13, 2019
Prevent command injection via admin email
@pralor

This comment has been minimized.

Copy link

commented Sep 21, 2019

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pi-hole-4-3-2-release-notes/23852/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.