From ef0bdf6470e98ac7866c4fbcee3ab06bfe095fe8 Mon Sep 17 00:00:00 2001 From: Matej Dujava Date: Mon, 7 Dec 2020 00:23:04 +0100 Subject: [PATCH] Fix validation of adlist url Already existing regex validation will be used on url after removing @ (in case its in separating userinfo and host). Signed-off-by: Matej Dujava Fixes: https://github.com/pi-hole/pi-hole/issues/3911 Fixes: 7d19ee1b: validate blocklist URL before adding to the database (#3237) --- advanced/Scripts/webpage.sh | 11 ++++++++--- gravity.sh | 9 +++++++-- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/advanced/Scripts/webpage.sh b/advanced/Scripts/webpage.sh index f26ce11d..da2afb0f 100755 --- a/advanced/Scripts/webpage.sh +++ b/advanced/Scripts/webpage.sh @@ -486,10 +486,15 @@ SetWebUITheme() { } CheckUrl(){ - local regex + local regex check_url # Check for characters NOT allowed in URLs - regex="[^a-zA-Z0-9:/?&%=~._-]" - if [[ "${1}" =~ ${regex} ]]; then + regex="[^a-zA-Z0-9:/?&%=~._()-;]" + + # this will remove first @ that is after schema and before domain + # \1 is optional schema, \2 is userinfo + check_url="$( sed -re 's#([^:/]*://)?([^/]+)@#\1\2#' <<< "$1" )" + + if [[ "${check_url}" =~ ${regex} ]]; then return 1 else return 0 diff --git a/gravity.sh b/gravity.sh index 9ac38512..c9cd615a 100755 --- a/gravity.sh +++ b/gravity.sh @@ -393,10 +393,15 @@ gravity_DownloadBlocklists() { esac echo -e " ${INFO} Target: ${url}" - local regex + local regex check_url # Check for characters NOT allowed in URLs regex="[^a-zA-Z0-9:/?&%=~._()-;]" - if [[ "${url}" =~ ${regex} ]]; then + + # this will remove first @ that is after schema and before domain + # \1 is optional schema, \2 is userinfo + check_url="$( sed -re 's#([^:/]*://)?([^/]+)@#\1\2#' <<< "$url" )" + + if [[ "${check_url}" =~ ${regex} ]]; then echo -e " ${CROSS} Invalid Target" else gravity_DownloadBlocklistFromUrl "${url}" "${cmd_ext}" "${agent}" "${sourceIDs[$i]}" "${saveLocation}" "${target}" "${compression}"