1
0
mirror of https://github.com/pi-hole/pi-hole synced 2024-12-22 14:58:08 +00:00

If, after reading /pihole.docker.tag into DOCKER_TAG, it does not match an expected pattern, unset it - this should prevent arbitary code from being run

Signed-off-by: Adam Warner <me@adamwarner.co.uk>
This commit is contained in:
Adam Warner 2022-09-25 15:51:09 +01:00
parent b6d1bd7335
commit 9debd22179
No known key found for this signature in database
GPG Key ID: 872950F3ECF2B173

View File

@ -37,8 +37,14 @@ rm -f "/etc/pihole/localversions"
VERSION_FILE="/etc/pihole/versions" VERSION_FILE="/etc/pihole/versions"
touch "${VERSION_FILE}" touch "${VERSION_FILE}"
chmod 644 "${VERSION_FILE}" chmod 644 "${VERSION_FILE}"
# if /pihole.docker.tag file exists, we will use it's value later in this script # if /pihole.docker.tag file exists, we will use it's value later in this script
DOCKER_TAG=$(cat file 2>/dev/null) DOCKER_TAG=$(cat /pihole.docker.tag 2>/dev/null)
regex='^([0-9]+\.){1,2}(\*|[0-9]+)(-.*)?$|(^nightly$)|(^dev.*$)'
if [[ ! "${DOCKER_TAG}" =~ $regex ]]; then
# DOCKER_TAG does not match the pattern (see https://regex101.com/r/RsENuz/1), so unset it.
unset DOCKER_TAG
fi
if [[ "$2" == "remote" ]]; then if [[ "$2" == "remote" ]]; then