From 4f390ce801c739ea87cfcae131855ecbd9161818 Mon Sep 17 00:00:00 2001 From: Dan Schaper Date: Mon, 2 Mar 2020 05:39:21 -0800 Subject: [PATCH 01/13] Use bash regex instead of awk. Signed-off-by: Dan Schaper --- advanced/Scripts/query.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/advanced/Scripts/query.sh b/advanced/Scripts/query.sh index a96129e0..73650400 100755 --- a/advanced/Scripts/query.sh +++ b/advanced/Scripts/query.sh @@ -33,15 +33,13 @@ scanList(){ export LC_CTYPE=C # /dev/null forces filename to be printed when only one list has been generated - # shellcheck disable=SC2086 case "${type}" in "exact" ) grep -i -E -l "(^|(?/dev/null;; # Create array of regexps # Iterate through each regexp and check whether it matches the domainQuery # If it does, print the matching regexp and continue looping # Input 1 - regexps | Input 2 - domainQuery - "regex" ) awk 'NR==FNR{regexps[$0];next}{for (r in regexps)if($0 ~ r)print r}' \ - <(echo "${lists}") <(echo "${domain}") 2>/dev/null;; + "regex" ) if [[ "${domain}" =~ ${lists} ]]; then printf "%b\n" "${lists}"; fi;; * ) grep -i "${esc_domain}" ${lists} /dev/null 2>/dev/null;; esac } From 360d0e4e6bfb5c71e078be41d21132422fb20323 Mon Sep 17 00:00:00 2001 From: Dan Schaper Date: Mon, 2 Mar 2020 08:07:10 -0800 Subject: [PATCH 02/13] Loop through array of lists. Signed-off-by: Dan Schaper --- advanced/Scripts/query.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/advanced/Scripts/query.sh b/advanced/Scripts/query.sh index 73650400..4dc9429d 100755 --- a/advanced/Scripts/query.sh +++ b/advanced/Scripts/query.sh @@ -35,11 +35,15 @@ scanList(){ # /dev/null forces filename to be printed when only one list has been generated case "${type}" in "exact" ) grep -i -E -l "(^|(?/dev/null;; - # Create array of regexps # Iterate through each regexp and check whether it matches the domainQuery # If it does, print the matching regexp and continue looping # Input 1 - regexps | Input 2 - domainQuery - "regex" ) if [[ "${domain}" =~ ${lists} ]]; then printf "%b\n" "${lists}"; fi;; + "regex" ) + for list in `echo "${lists}"`; do + if [[ "${domain}" =~ ${list} ]]; then + printf "%b\n" "${list}"; + fi + done;; * ) grep -i "${esc_domain}" ${lists} /dev/null 2>/dev/null;; esac } From bf4fada3b7188630ecb4656b123a94110998cacd Mon Sep 17 00:00:00 2001 From: Dan Schaper Date: Mon, 2 Mar 2020 09:52:06 -0800 Subject: [PATCH 03/13] Don't quote inside backticks, use unquoted variable. Signed-off-by: Dan Schaper --- advanced/Scripts/query.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/advanced/Scripts/query.sh b/advanced/Scripts/query.sh index 4dc9429d..7518e6c4 100755 --- a/advanced/Scripts/query.sh +++ b/advanced/Scripts/query.sh @@ -39,7 +39,7 @@ scanList(){ # If it does, print the matching regexp and continue looping # Input 1 - regexps | Input 2 - domainQuery "regex" ) - for list in `echo "${lists}"`; do + for list in ${lists}; do if [[ "${domain}" =~ ${list} ]]; then printf "%b\n" "${list}"; fi From 22ce5c0d70e48f8e806dd79758359ccb623efb20 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Mon, 9 Mar 2020 00:32:37 +0100 Subject: [PATCH 04/13] Fix incorrect type description. (#3201) Signed-off-by: DL6ER --- advanced/Scripts/piholeDebug.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/advanced/Scripts/piholeDebug.sh b/advanced/Scripts/piholeDebug.sh index 28d34ab6..304dc666 100755 --- a/advanced/Scripts/piholeDebug.sh +++ b/advanced/Scripts/piholeDebug.sh @@ -1116,7 +1116,7 @@ show_adlists() { } show_domainlist() { - show_db_entries "Domainlist (0/1 = exact/regex whitelist, 2/3 = exact/regex blacklist)" "SELECT id,type,domain,enabled,datetime(date_added,'unixepoch','localtime') date_added,datetime(date_modified,'unixepoch','localtime') date_modified,comment FROM domainlist" "4 4 100 7 19 19 50" + show_db_entries "Domainlist (0/1 = exact white-/blacklist, 2/3 = regex white-/blacklist)" "SELECT id,type,domain,enabled,datetime(date_added,'unixepoch','localtime') date_added,datetime(date_modified,'unixepoch','localtime') date_modified,comment FROM domainlist" "4 4 100 7 19 19 50" show_db_entries "Domainlist groups" "SELECT * FROM domainlist_by_group" "10 10" } From dbc54b3063e6bfff302fdd95269c67ae03085e41 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Wed, 11 Mar 2020 18:47:59 +0000 Subject: [PATCH 05/13] remove resolvconf dep Signed-off-by: Adam Warner --- automated install/basic-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 65c72b40..0d05db1a 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -244,7 +244,7 @@ if is_command apt-get ; then # These programs are stored in an array so they can be looped through later INSTALLER_DEPS=(dhcpcd5 git "${iproute_pkg}" whiptail) # Pi-hole itself has several dependencies that also need to be installed - PIHOLE_DEPS=(cron curl dnsutils iputils-ping lsof netcat psmisc sudo unzip wget idn2 sqlite3 libcap2-bin dns-root-data resolvconf libcap2) + PIHOLE_DEPS=(cron curl dnsutils iputils-ping lsof netcat psmisc sudo unzip wget idn2 sqlite3 libcap2-bin dns-root-data libcap2) # The Web dashboard has some that also need to be installed # It's useful to separate the two since our repos are also setup as "Core" code and "Web" code PIHOLE_WEB_DEPS=(lighttpd "${phpVer}-common" "${phpVer}-cgi" "${phpVer}-${phpSqlite}" "${phpVer}-xml" "php-intl") From 1481cc583fe6425a9be74720f1c45a8bfc389ab5 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Wed, 11 Mar 2020 18:48:40 +0000 Subject: [PATCH 06/13] Don't set nameserver in dhcpcd.conf Signed-off-by: Adam Warner --- automated install/basic-install.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 0d05db1a..b896eb35 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -854,8 +854,7 @@ setDHCPCD() { # we can append these lines to dhcpcd.conf to enable a static IP echo "interface ${PIHOLE_INTERFACE} static ip_address=${IPV4_ADDRESS} - static routers=${IPv4gw} - static domain_name_servers=127.0.0.1" | tee -a /etc/dhcpcd.conf >/dev/null + static routers=${IPv4gw}" | tee -a /etc/dhcpcd.conf >/dev/null # Then use the ip command to immediately set the new address ip addr replace dev "${PIHOLE_INTERFACE}" "${IPV4_ADDRESS}" # Also give a warning that the user may need to reboot their system From 175d32c5f660a03368be40bb931a3752bb24643c Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Wed, 11 Mar 2020 18:55:43 +0000 Subject: [PATCH 07/13] Set nameservers to be that which have been chosen by the user in the whiptail Signed-off-by: Adam Warner --- automated install/basic-install.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index b896eb35..35d4df9f 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -854,7 +854,8 @@ setDHCPCD() { # we can append these lines to dhcpcd.conf to enable a static IP echo "interface ${PIHOLE_INTERFACE} static ip_address=${IPV4_ADDRESS} - static routers=${IPv4gw}" | tee -a /etc/dhcpcd.conf >/dev/null + static routers=${IPv4gw} + static domain_name_servers=${PIHOLE_DNS_1},${PIHOLE_DNS_2}" | tee -a /etc/dhcpcd.conf >/dev/null # Then use the ip command to immediately set the new address ip addr replace dev "${PIHOLE_INTERFACE}" "${IPV4_ADDRESS}" # Also give a warning that the user may need to reboot their system From 4994da5170300cceaba8f1eca143daabe89df357 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Thu, 12 Mar 2020 18:48:40 +0000 Subject: [PATCH 08/13] Update automated install/basic-install.sh --- automated install/basic-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 35d4df9f..f5043ded 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -855,7 +855,7 @@ setDHCPCD() { echo "interface ${PIHOLE_INTERFACE} static ip_address=${IPV4_ADDRESS} static routers=${IPv4gw} - static domain_name_servers=${PIHOLE_DNS_1},${PIHOLE_DNS_2}" | tee -a /etc/dhcpcd.conf >/dev/null + static domain_name_servers=${PIHOLE_DNS_1} ${PIHOLE_DNS_2}" | tee -a /etc/dhcpcd.conf >/dev/null # Then use the ip command to immediately set the new address ip addr replace dev "${PIHOLE_INTERFACE}" "${IPV4_ADDRESS}" # Also give a warning that the user may need to reboot their system From 277179f150692e6c0968912a02341959069a9242 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Fri, 27 Mar 2020 19:34:41 +0100 Subject: [PATCH 09/13] Remove 19036 trust anchor, now expired: https://www.icann.org/resources/pages/ksk-rollover Signed-off-by: DL6ER --- advanced/Scripts/webpage.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/advanced/Scripts/webpage.sh b/advanced/Scripts/webpage.sh index 829ba57b..aab90c35 100755 --- a/advanced/Scripts/webpage.sh +++ b/advanced/Scripts/webpage.sh @@ -179,7 +179,6 @@ ProcessDNSSettings() { if [[ "${DNSSEC}" == true ]]; then echo "dnssec -trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D " >> "${dnsmasqconfig}" fi From dc35709a1b3a60cf48bcd78d1a7ffae00c81cb69 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Tue, 31 Mar 2020 17:39:21 +0100 Subject: [PATCH 10/13] Remove hosts-file.net from default lists --- automated install/basic-install.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index f5043ded..a8ac91f3 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -1212,8 +1212,7 @@ chooseBlocklists() { MalwareDom "MalwareDomains" on Cameleon "Cameleon" on DisconTrack "Disconnect.me Tracking" on - DisconAd "Disconnect.me Ads" on - HostsFile "Hosts-file.net Ads" on) + DisconAd "Disconnect.me Ads" on) # In a variable, show the choices available; exit if Cancel is selected choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty) || { printf " %bCancel was selected, exiting installer%b\\n" "${COL_LIGHT_RED}" "${COL_NC}"; rm "${adlistFile}" ;exit 1; } @@ -1235,7 +1234,6 @@ appendToListsFile() { Cameleon ) echo "https://sysctl.org/cameleon/hosts" >> "${adlistFile}";; DisconTrack ) echo "https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt" >> "${adlistFile}";; DisconAd ) echo "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt" >> "${adlistFile}";; - HostsFile ) echo "https://hosts-file.net/ad_servers.txt" >> "${adlistFile}";; esac } From 7d19ee1b2575f90b7a42ee390b5561fe6908250a Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Tue, 31 Mar 2020 21:48:10 +0100 Subject: [PATCH 11/13] validate blocklist URL before adding to the database (#3237) Signed-off-by: Adam Warner Co-authored-by: DL6ER --- advanced/Scripts/webpage.sh | 34 +++++++++++++++++++++++++--------- gravity.sh | 9 ++++++++- 2 files changed, 33 insertions(+), 10 deletions(-) diff --git a/advanced/Scripts/webpage.sh b/advanced/Scripts/webpage.sh index aab90c35..2b70249e 100755 --- a/advanced/Scripts/webpage.sh +++ b/advanced/Scripts/webpage.sh @@ -401,22 +401,38 @@ SetWebUILayout() { change_setting "WEBUIBOXEDLAYOUT" "${args[2]}" } +CheckUrl(){ + local regex + # Check for characters NOT allowed in URLs + regex="[^a-zA-Z0-9:/?&%=~._-]" + if [[ "${1}" =~ ${regex} ]]; then + return 1 + else + return 0 + fi +} + CustomizeAdLists() { local address address="${args[3]}" local comment comment="${args[4]}" - if [[ "${args[2]}" == "enable" ]]; then - sqlite3 "${gravityDBfile}" "UPDATE adlist SET enabled = 1 WHERE address = '${address}'" - elif [[ "${args[2]}" == "disable" ]]; then - sqlite3 "${gravityDBfile}" "UPDATE adlist SET enabled = 0 WHERE address = '${address}'" - elif [[ "${args[2]}" == "add" ]]; then - sqlite3 "${gravityDBfile}" "INSERT OR IGNORE INTO adlist (address, comment) VALUES ('${address}', '${comment}')" - elif [[ "${args[2]}" == "del" ]]; then - sqlite3 "${gravityDBfile}" "DELETE FROM adlist WHERE address = '${address}'" + if CheckUrl "${address}"; then + if [[ "${args[2]}" == "enable" ]]; then + sqlite3 "${gravityDBfile}" "UPDATE adlist SET enabled = 1 WHERE address = '${address}'" + elif [[ "${args[2]}" == "disable" ]]; then + sqlite3 "${gravityDBfile}" "UPDATE adlist SET enabled = 0 WHERE address = '${address}'" + elif [[ "${args[2]}" == "add" ]]; then + sqlite3 "${gravityDBfile}" "INSERT OR IGNORE INTO adlist (address, comment) VALUES ('${address}', '${comment}')" + elif [[ "${args[2]}" == "del" ]]; then + sqlite3 "${gravityDBfile}" "DELETE FROM adlist WHERE address = '${address}'" + else + echo "Not permitted" + return 1 + fi else - echo "Not permitted" + echo "Invalid Url" return 1 fi } diff --git a/gravity.sh b/gravity.sh index c421e832..cf3f9299 100755 --- a/gravity.sh +++ b/gravity.sh @@ -374,7 +374,14 @@ gravity_DownloadBlocklists() { esac echo -e " ${INFO} Target: ${url}" - gravity_DownloadBlocklistFromUrl "${url}" "${cmd_ext}" "${agent}" "${sourceIDs[$i]}" "${saveLocation}" "${target}" + local regex + # Check for characters NOT allowed in URLs + regex="[^a-zA-Z0-9:/?&%=~._-]" + if [[ "${url}" =~ ${regex} ]]; then + echo -e " ${CROSS} Invalid Target" + else + gravity_DownloadBlocklistFromUrl "${url}" "${cmd_ext}" "${agent}" "${sourceIDs[$i]}" "${saveLocation}" "${target}" + fi echo "" done From d1caad76d832eca713352826392917fa3f4a23dc Mon Sep 17 00:00:00 2001 From: DL6ER Date: Wed, 1 Apr 2020 17:19:32 +0000 Subject: [PATCH 12/13] Do not flush neigh cache as this is known to create a number of issues. The better aproach to this is to manually flush the ARP cache by either restarting or calling "ip neigh flush all". Signed-off-by: DL6ER --- advanced/Scripts/piholeARPTable.sh | 7 ------- 1 file changed, 7 deletions(-) diff --git a/advanced/Scripts/piholeARPTable.sh b/advanced/Scripts/piholeARPTable.sh index aa45f9ad..b6b552c9 100755 --- a/advanced/Scripts/piholeARPTable.sh +++ b/advanced/Scripts/piholeARPTable.sh @@ -36,13 +36,6 @@ flushARP(){ echo -ne " ${INFO} Flushing network table ..." fi - # Flush ARP cache to avoid re-adding of dead entries - if ! output=$(ip neigh flush all 2>&1); then - echo -e "${OVER} ${CROSS} Failed to clear ARP cache" - echo " Output: ${output}" - return 1 - fi - # Truncate network_addresses table in pihole-FTL.db # This needs to be done before we can truncate the network table due to # foreign key contraints From 2de5362adc2c1c780eac1ab39e466875143091d5 Mon Sep 17 00:00:00 2001 From: M4x Date: Sun, 5 Apr 2020 17:20:35 +0800 Subject: [PATCH 13/13] Sanitize email address in case of security issues (#3254) * Sanitize email address in case of security issues Signed-off-by: bash-c --- advanced/Scripts/webpage.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/advanced/Scripts/webpage.sh b/advanced/Scripts/webpage.sh index 2b70249e..f0f8bc31 100755 --- a/advanced/Scripts/webpage.sh +++ b/advanced/Scripts/webpage.sh @@ -517,6 +517,13 @@ Options: fi if [[ -n "${args[2]}" ]]; then + + # Sanitize email address in case of security issues + if [[ ! "${args[2]}" =~ ^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$ ]]; then + echo -e " ${CROSS} Invalid email address" + exit 0 + fi + change_setting "ADMIN_EMAIL" "${args[2]}" echo -e " ${TICK} Setting admin contact to ${args[2]}" else