The pihole-FTL-prestart.sh and pihole-FTL-poststop.sh scripts are
executed as root by systemd (via the '+' prefix). Both previously read
the PID file path from pihole.toml via getFTLConfigValue — a file the
pihole user can write to directly. An attacker with pihole-user access
could set files.pid to an arbitrary path and trigger a service restart
to cause root to delete then recreate any file on the system, enabling
local privilege escalation.
Fix by inlining the hardcoded path /run/pihole-FTL.pid directly in
each hook, removing any dependency on user-controlled config. The same
hardening is applied to the SysV init script for consistency.
See: GHSA-6w8x-p785-6pm4
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
This was most likely added accidentally (during a refactor in 2017)
Both the 2017 and current version use /opt/pihole/COL_TABLE, as defined earlier and sourced earlier in the code.
Remove PIHOLE_COLTABLE_FILE from REQUIRED_FILES since /usr/local/bin as well as /opt/pihole are never checked
Signed-off-by: darkexplosiveqwx <101737077+darkexplosiveqwx@users.noreply.github.com>
- use `--no---` and `--yes---` to make sure the strings won't match user
comments or parts of domains
- also use `-ALLOW-` and `-BLOCK-`
Also reduce the domain column to 90 characters
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
- Domains table ("type" column): replace 0, 1, 2 and 3 with
"exact-allow", "exact-deny", "regex-allow" and "regex-deny"
- All tables: use yes/no for "enabled" columns
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
Use bash-internal globs and parameter expasion in preference to
assignment from output of ls or basename per file/directory.
When displaying file contents, call sed once and preprocesses the entire
file (eg pihole.toml), rather than spawning a new sed process for every
line of the file.
When checking services, call awk once to extract all data for each ip:port
pair, rather than three times.
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
Adds the keepalive header to all curl requests
This reduces session establishment time across the multiple
requests necessary to authenticate, obtain response and log out
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
This PR updates the function flushing the network tables and the ARP table. It separates the two, renaming the whole function to networkflush and makes flushing ARP optional by appending --arp. Deletion of the network table is now done via FTL's /action/flush/arp endpoint.
Documentation: https://github.com/pi-hole/docs/pull/1253
Related PR in the FTL repo: https://github.com/pi-hole/FTL/pull/2541
Get session authentication information via single jq operation,
setting defaults if no data returned.
Simplify jq test for valid JSON data
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
Count list and gravity matches using jq in a single step.
Use jq's map to simplify list processing, eliminating intermediate
jsons.
Eliminate while loop for each lists's final output and formatting.
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
Currently, if the FTL update check returns 404, hence the FTL branch does not seem to exist, an error message is printed, but the update continues, only the FTL update is skipped.
This can lead to setups with v5 FTL and v6 core/web, failing at config migration, where FTL is invoked with a v6-only command.
With this change, the update aborts immediately if the FTL branch is invalid, like it does in case of other FTL update check errors (other HTTP error codes than 404 or other curl errors). Hence it continues only if FTL is up-to-date already, or a new version from the given branch has been found.
Signed-off-by: MichaIng <micha@dietpi.com>
