Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent command injection via admin email #974

Merged
merged 1 commit into from
Jul 3, 2019
Merged

Prevent command injection via admin email #974

merged 1 commit into from
Jul 3, 2019

Conversation

AzureMarker
Copy link
Contributor

@AzureMarker AzureMarker commented Jul 2, 2019
edited
Loading

By submitting this pull request, I confirm the following:

  • I have read and understood the contributors guide, as well as this entire template.
  • I have made only one major change in my proposed changes.
  • I have commented my proposed changes within the code.
  • I have tested my proposed changes.
  • I am willing to help maintain this change if there are issues with it later.
  • I give this submission freely and claim no ownership.
  • It is compatible with the EUPL 1.2 license
  • I have squashed any insignificant commits. (git rebase)
  • I have Signed Off all commits. (git commit --signoff)

What does this PR aim to accomplish?:
Prevent a possible command injection via the admin email. Credit goes to Christos Pierris (@pr0tean) for finding the bug.

How does this PR accomplish the above?:
Perform extra validation on the input email.

What documentation changes (if any) are needed to support this PR?:
None

@AzureMarker
Prevent command injection via admin email
f790516 
Signed-off-by: Mcat12 <newtoncat12@yahoo.com>
@AzureMarker AzureMarker added this to the v5.0 milestone Jul 2, 2019
@AzureMarker AzureMarker requested a review from a team July 2, 2019 04:04
DL6ER
DL6ER approved these changes Jul 2, 2019
View reviewed changes
Copy link
Member

@DL6ER DL6ER left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Following characters are preceded by a backslash: &#;|*?~<>^()[]{}$, \x0A and \xFF. 'and"` are escaped only if they are not paired.

This will allow @ to pass through and this is the only thing needed here.

@AzureMarker AzureMarker merged commit 00d9b3d into devel Jul 3, 2019
@AzureMarker AzureMarker deleted the fix/admin-email-validation branch July 3, 2019 01:49
AzureMarker added a commit that referenced this pull request Sep 12, 2019
@AzureMarker
Merge pull request #974 from pi-hole/fix/admin-email-validation
9a77559 
Prevent command injection via admin email
@AzureMarker AzureMarker modified the milestones: v5.0, v4.3.2 Sep 12, 2019
AzureMarker added a commit that referenced this pull request Sep 13, 2019
@AzureMarker
Merge pull request #974 from pi-hole/fix/admin-email-validation
bfe7b76 
Prevent command injection via admin email
@pralor-bot
Copy link

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pi-hole-4-3-2-release-notes/23852/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DL6ER DL6ER DL6ER approved these changes

Assignees
No one assigned
Labels
Bugfix
Projects
None yet
Milestone
v4.3.2
Development

Successfully merging this pull request may close these issues.
3 participants
@AzureMarker @pralor-bot @DL6ER