From 9debd221796b5b130994b2d9a2775fa814df40be Mon Sep 17 00:00:00 2001
From: Adam Warner <me@adamwarner.co.uk>
Date: Sun, 25 Sep 2022 15:51:09 +0100
Subject: [PATCH] If, after reading /pihole.docker.tag into DOCKER_TAG, it does
 not match an expected pattern, unset it - this should prevent arbitary code
 from being run

Signed-off-by: Adam Warner <me@adamwarner.co.uk>
---
 advanced/Scripts/updatecheck.sh | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/advanced/Scripts/updatecheck.sh b/advanced/Scripts/updatecheck.sh
index 550a7142..a9d7523e 100755
--- a/advanced/Scripts/updatecheck.sh
+++ b/advanced/Scripts/updatecheck.sh
@@ -37,8 +37,14 @@ rm -f "/etc/pihole/localversions"
 VERSION_FILE="/etc/pihole/versions"
 touch "${VERSION_FILE}"
 chmod 644 "${VERSION_FILE}"
+
 # if /pihole.docker.tag file exists, we will use it's value later in this script
-DOCKER_TAG=$(cat file 2>/dev/null)
+DOCKER_TAG=$(cat /pihole.docker.tag 2>/dev/null)
+regex='^([0-9]+\.){1,2}(\*|[0-9]+)(-.*)?$|(^nightly$)|(^dev.*$)'
+if [[ ! "${DOCKER_TAG}" =~ $regex ]]; then
+  # DOCKER_TAG does not match the pattern (see https://regex101.com/r/RsENuz/1), so unset it.
+  unset DOCKER_TAG
+fi
 
 if [[ "$2" == "remote" ]]; then