If, after reading /pihole.docker.tag into DOCKER_TAG, it does not match an expected pattern, unset it - this should prevent arbitary code from being run

Signed-off-by: Adam Warner <me@adamwarner.co.uk>
2 years ago · 9debd22179
parent b6d1bd7335
commit 9debd22179
1 changed files with 7 additions and 1 deletions
--- a/advanced/Scripts/updatecheck.sh
+++ b/advanced/Scripts/updatecheck.sh
@ -37,8 +37,14 @@ rm -f "/etc/pihole/localversions"
 VERSION_FILE="/etc/pihole/versions"
 touch "${VERSION_FILE}"
 chmod 644 "${VERSION_FILE}"
+
 # if /pihole.docker.tag file exists, we will use it's value later in this script
-DOCKER_TAG=$(cat file 2>/dev/null)
+DOCKER_TAG=$(cat /pihole.docker.tag 2>/dev/null)
+regex='^([0-9]+\.){1,2}(\*|[0-9]+)(-.*)?$|(^nightly$)|(^dev.*$)'
+if [[ ! "${DOCKER_TAG}" =~ $regex ]]; then
+  # DOCKER_TAG does not match the pattern (see https://regex101.com/r/RsENuz/1), so unset it.
+  unset DOCKER_TAG
+fi

 if [[ "$2" == "remote" ]]; then