From b6d1bd7335ac1655b22d528b6006cfecf5071b14 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Mon, 19 Sep 2022 22:01:05 +0100 Subject: [PATCH 1/2] Read docker tag from file in root, not the previously set environment variable Signed-off-by: Adam Warner --- advanced/Scripts/updatecheck.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/advanced/Scripts/updatecheck.sh b/advanced/Scripts/updatecheck.sh index b1e111ae..550a7142 100755 --- a/advanced/Scripts/updatecheck.sh +++ b/advanced/Scripts/updatecheck.sh @@ -37,6 +37,8 @@ rm -f "/etc/pihole/localversions" VERSION_FILE="/etc/pihole/versions" touch "${VERSION_FILE}" chmod 644 "${VERSION_FILE}" +# if /pihole.docker.tag file exists, we will use it's value later in this script +DOCKER_TAG=$(cat file 2>/dev/null) if [[ "$2" == "remote" ]]; then @@ -55,7 +57,7 @@ if [[ "$2" == "remote" ]]; then GITHUB_FTL_VERSION="$(curl -s 'https://api.github.com/repos/pi-hole/FTL/releases/latest' 2> /dev/null | jq --raw-output .tag_name)" addOrEditKeyValPair "${VERSION_FILE}" "GITHUB_FTL_VERSION" "${GITHUB_FTL_VERSION}" - if [[ "${PIHOLE_DOCKER_TAG}" ]]; then + if [[ "${DOCKER_TAG}" ]]; then GITHUB_DOCKER_VERSION="$(curl -s 'https://api.github.com/repos/pi-hole/docker-pi-hole/releases/latest' 2> /dev/null | jq --raw-output .tag_name)" addOrEditKeyValPair "${VERSION_FILE}" "GITHUB_DOCKER_VERSION" "${GITHUB_DOCKER_VERSION}" fi @@ -84,9 +86,8 @@ else FTL_VERSION="$(pihole-FTL version)" addOrEditKeyValPair "${VERSION_FILE}" "FTL_VERSION" "${FTL_VERSION}" - # PIHOLE_DOCKER_TAG is set as env variable only on docker installations - if [[ "${PIHOLE_DOCKER_TAG}" ]]; then - addOrEditKeyValPair "${VERSION_FILE}" "DOCKER_VERSION" "${PIHOLE_DOCKER_TAG}" + if [[ "${DOCKER_TAG}" ]]; then + addOrEditKeyValPair "${VERSION_FILE}" "DOCKER_VERSION" "${DOCKER_TAG}" fi fi From 9debd221796b5b130994b2d9a2775fa814df40be Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Sun, 25 Sep 2022 15:51:09 +0100 Subject: [PATCH 2/2] If, after reading /pihole.docker.tag into DOCKER_TAG, it does not match an expected pattern, unset it - this should prevent arbitary code from being run Signed-off-by: Adam Warner --- advanced/Scripts/updatecheck.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/advanced/Scripts/updatecheck.sh b/advanced/Scripts/updatecheck.sh index 550a7142..a9d7523e 100755 --- a/advanced/Scripts/updatecheck.sh +++ b/advanced/Scripts/updatecheck.sh @@ -37,8 +37,14 @@ rm -f "/etc/pihole/localversions" VERSION_FILE="/etc/pihole/versions" touch "${VERSION_FILE}" chmod 644 "${VERSION_FILE}" + # if /pihole.docker.tag file exists, we will use it's value later in this script -DOCKER_TAG=$(cat file 2>/dev/null) +DOCKER_TAG=$(cat /pihole.docker.tag 2>/dev/null) +regex='^([0-9]+\.){1,2}(\*|[0-9]+)(-.*)?$|(^nightly$)|(^dev.*$)' +if [[ ! "${DOCKER_TAG}" =~ $regex ]]; then + # DOCKER_TAG does not match the pattern (see https://regex101.com/r/RsENuz/1), so unset it. + unset DOCKER_TAG +fi if [[ "$2" == "remote" ]]; then