Pi-hole: gravity.sh blocklist URL regex should allow semicolons
After some discussion on Reddit:
It seems that the script doesn't consider a semicolon (;) valid in blocklist URLs. My list uses them by defaults as query string parameter delimiters, eg:
Relevant line is here:
pgl
All 5 comments
This particular line was added in response to a vulnerability discovered (see
https://github.com/pi-hole/pi-hole/pull/3237 and blogpost)
Stack overflow seems to suggest that a ; is valid, albiet rarely used, in a domain:
I think we can probably get away with including ; in the validation regex, as the vulnerability was mostly caused by passing through a complete command with spaces.
I'd like to get @Frichetten's opinion, just in case...
Also @pgl Please can you base your PR on and submit it against the development branch, as per contribution guidelines? Thanks!
PromoFaux
on 26 May 2020
Done! Sorry for not following procedure first time round.
pgl
on 26 May 2020
@PromoFaux / @pgl , I don't see any reason ';' can't be allowed. Looking through the code and some light testing of curl, it doesn't appear you can do anything with it at this point. I'd say you're pretty safe to allow the pull request to go through. :)
Frichetten
on 26 May 2020
Thanks!
PromoFaux
on 26 May 2020
This issue has been mentioned on Pi-hole Userspace. There might be relevant details there:
https://discourse.pi-hole.net/t/pi-hole-5-1-released/35577/1
pralor-bot
on 15 Jul 2020
Related issues
flo80
路
5Comments
mschwager
路
5Comments
davidreverett
路
4Comments
wioxjk
路
4Comments
hugalafutro
路
3Comments
Most helpful comment
@PromoFaux / @pgl , I don't see any reason ';' can't be allowed. Looking through the code and some light testing of curl, it doesn't appear you can do anything with it at this point. I'd say you're pretty safe to allow the pull request to go through. :)