Release v5.16.1 (#5226)

Signed-off-by: Christian König <ckoenig@posteo.de>

.github/dependabot.yml

@@ -10,3 +10,13 @@ updates:
   target-branch: development
   reviewers:
     - "pi-hole/core-maintainers"
+- package-ecosystem: pip
+  directory: "/test"
+  schedule:
+    interval: weekly
+    day: saturday
+    time: "10:00"
+  open-pull-requests-limit: 10
+  target-branch: development
+  reviewers:
+    - "pi-hole/core-maintainers"

.github/workflows/codeql-analysis.yml

@@ -25,7 +25,7 @@ jobs:
     steps:
     -
       name: Checkout repository
-      uses: actions/checkout@v3.1.0
+      uses: actions/checkout@v3.4.0
     # Initializes the CodeQL tools for scanning.
     -
       name: Initialize CodeQL

.github/workflows/merge-conflict.yml

@@ -0,0 +1,21 @@
+name: "Check for merge conflicts"
+on:
+  # So that PRs touching the same files as the push are updated
+  push:
+  # So that the `dirtyLabel` is removed if conflicts are resolve
+  # We recommend `pull_request_target` so that github secrets are available.
+  # In `pull_request` we wouldn't be able to change labels of fork PRs
+  pull_request_target:
+    types: [synchronize]
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if PRs are have merge conflicts
+        uses: eps1lon/actions-label-merge-conflict@v2.1.0
+        with:
+          dirtyLabel: "PR: Merge Conflict"
+          repoToken: "${{ secrets.GITHUB_TOKEN }}"
+          commentOnDirty: "This pull request has conflicts, please resolve those before we can evaluate the pull request."
+          commentOnClean: "Conflicts have been resolved."

.github/workflows/stale.yml

@@ -13,7 +13,7 @@ jobs:
       issues: write
 
     steps:
-      - uses: actions/stale@v6.0.1
+      - uses: actions/stale@v7.0.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           days-before-stale: 30

.github/workflows/stale_pr.yml

@@ -0,0 +1,35 @@
+name: Close stale PR
+# This action will add a `stale` label and close immediately every PR that meets the following conditions:
+#   - it is already marked with "merge conflict" label
+#   - there was no update/comment on the PR in the last 30 days.
+
+on:
+  schedule:
+    - cron: '0 10 * * *'
+  workflow_dispatch:
+
+jobs:
+  stale:
+
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+
+    steps:
+      - uses: actions/stale@v7.0.0
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          # Do not automatically mark PR/issue as stale
+          days-before-stale: -1
+          # Override 'days-before-stale' for PR only
+          days-before-pr-stale: 30
+          # Close PRs immediately, after marking them 'stale'
+          days-before-pr-close: 0
+          # only run the action on merge conflict PR
+          any-of-labels: 'PR: Merge Conflict'
+          exempt-pr-labels: 'internal, never-stale, ON HOLD, WIP'
+          exempt-all-pr-assignees: true
+          operations-per-run: 300
+          stale-pr-message: ''
+          close-pr-message: 'Existing merge conflicts have not been addressed. This PR is considered abandoned.'

.github/workflows/sync-back-to-dev.yml

@@ -5,23 +5,36 @@ on:
     branches:
       - master
 
+# The section is needed to drop the default write-all permissions for all jobs
+# that are granted on `push` event. By specifying any permission explicitly
+# all others are set to none. By using the principle of least privilege the damage a compromised
+# workflow can do (because of an injection or compromised third party tool or
+# action) is restricted. Adding labels to issues, commenting
+# on pull-requests, etc. may need additional permissions:
+#
+# Syntax for this section:
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+#
+# Reference for how to assign permissions on a job-by-job basis:
+# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+#
+# Reference for available permissions that we can enable if needed:
+# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+permissions: {}
+
 jobs:
   sync-branches:
+    # The job needs to be able to pull the code and create a pull request.
+    permissions:
+      contents: read #  for actions/checkout
+      pull-requests: write #  to create pull request
+
     runs-on: ubuntu-latest
     name: Syncing branches
     steps:
       - name: Checkout
-        uses: actions/checkout@v3.1.0
+        uses: actions/checkout@v3.4.0
       - name: Opening pull request
-        id: pull
-        uses: tretuna/sync-branches@1.4.0
-        with:
+        run: gh pr create -B development -H master --title 'Sync master back into development' --body 'Created by Github action' --label 'internal'
+        env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          FROM_BRANCH: 'master'
-          TO_BRANCH: 'development'
-      - name: Label the pull request to ignore for release note generation
-        uses: actions-ecosystem/action-add-labels@v1.1.3
-        with:
-          labels: internal
-          repo: ${{ github.repository }}
-          number: ${{ steps.pull.outputs.PULL_REQUEST_NUMBER }}

.github/workflows/test.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3.1.0
+        uses: actions/checkout@v3.4.0
 
       - name: Check scripts in repository are executable
         run: |
@@ -55,20 +55,23 @@ jobs:
             ubuntu_22,
             centos_8,
             centos_9,
-            fedora_35,
             fedora_36,
+            fedora_37,
           ]
     env:
       DISTRO: ${{matrix.distro}}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3.1.0
+        uses: actions/checkout@v3.4.0
 
       - name: Set up Python 3.10
-        uses: actions/setup-python@v4.3.0
+        uses: actions/setup-python@v4.5.0
         with:
           python-version: "3.10"
 
+      - name: Install wheel
+        run:  pip install wheel
+
       - name: Install dependencies
         run: pip install -r test/requirements.txt
 

advanced/Scripts/piholeDebug.sh

@@ -66,6 +66,8 @@ RUN_DIRECTORY="/run"
 LOG_DIRECTORY="/var/log/pihole"
 WEB_SERVER_LOG_DIRECTORY="/var/log/lighttpd"
 WEB_SERVER_CONFIG_DIRECTORY="/etc/lighttpd"
+WEB_SERVER_CONFIG_DIRECTORY_FEDORA="${WEB_SERVER_CONFIG_DIRECTORY}/conf.d"
+WEB_SERVER_CONFIG_DIRECTORY_DEBIAN="${WEB_SERVER_CONFIG_DIRECTORY}/conf-enabled"
 HTML_DIRECTORY="/var/www/html"
 WEB_GIT_DIRECTORY="${HTML_DIRECTORY}/admin"
 SHM_DIRECTORY="/dev/shm"
@@ -77,6 +79,8 @@ PIHOLE_CRON_FILE="${CRON_D_DIRECTORY}/pihole"
 
 WEB_SERVER_CONFIG_FILE="${WEB_SERVER_CONFIG_DIRECTORY}/lighttpd.conf"
 WEB_SERVER_CUSTOM_CONFIG_FILE="${WEB_SERVER_CONFIG_DIRECTORY}/external.conf"
+WEB_SERVER_PIHOLE_CONFIG_FILE_DEBIAN="${WEB_SERVER_CONFIG_DIRECTORY_DEBIAN}/15-pihole-admin.conf"
+WEB_SERVER_PIHOLE_CONFIG_FILE_FEDORA="${WEB_SERVER_CONFIG_DIRECTORY_FEDORA}/pihole-admin.conf"
 
 PIHOLE_INSTALL_LOG_FILE="${PIHOLE_DIRECTORY}/install.log"
 PIHOLE_RAW_BLOCKLIST_FILES="${PIHOLE_DIRECTORY}/list.*"
@@ -140,6 +144,8 @@ PIHOLE_PROCESSES=( "lighttpd" "pihole-FTL" )
 REQUIRED_FILES=("${PIHOLE_CRON_FILE}"
 "${WEB_SERVER_CONFIG_FILE}"
 "${WEB_SERVER_CUSTOM_CONFIG_FILE}"
+"${WEB_SERVER_PIHOLE_CONFIG_FILE_DEBIAN}"
+"${WEB_SERVER_PIHOLE_CONFIG_FILE_FEDORA}"
 "${PIHOLE_INSTALL_LOG_FILE}"
 "${PIHOLE_RAW_BLOCKLIST_FILES}"
 "${PIHOLE_LOCAL_HOSTS_FILE}"
@@ -224,7 +230,7 @@ initialize_debug() {
 
 # This is a function for visually displaying the current test that is being run.
 # Accepts one variable: the name of what is being diagnosed
-# Colors do not show in the dasboard, but the icons do: [i], [✓], and [✗]
+# Colors do not show in the dashboard, but the icons do: [i], [✓], and [✗]
 echo_current_diagnostic() {
     # Colors are used for visually distinguishing each test in the output
     # These colors do not show in the GUI, but the formatting will
@@ -394,41 +400,53 @@ os_check() {
     # Extract dig response
     response="${cmdResult%%$'\n'*}"
 
-    IFS=" " read -r -a supportedOS < <(echo "${response}" | tr -d '"')
-    for distro_and_versions in "${supportedOS[@]}"
-    do
-        distro_part="${distro_and_versions%%=*}"
-        versions_part="${distro_and_versions##*=}"
-
-        if [[ "${detected_os^^}" =~ ${distro_part^^} ]]; then
-            valid_os=true
-            IFS="," read -r -a supportedVer <<<"${versions_part}"
-            for version in "${supportedVer[@]}"
-            do
-                if [[ "${detected_version}" =~ $version ]]; then
-                    valid_version=true
-                    break
-                fi
-            done
-            break
-        fi
-    done
-
-    log_write "${INFO} dig return code:  ${digReturnCode}"
-    log_write "${INFO} dig response:  ${response}"
-
-    if [ "$valid_os" = true ]; then
-        log_write "${TICK} Distro:  ${COL_GREEN}${detected_os^}${COL_NC}"
-
-        if [ "$valid_version" = true ]; then
-            log_write "${TICK} Version: ${COL_GREEN}${detected_version}${COL_NC}"
-        else
-            log_write "${CROSS} Version: ${COL_RED}${detected_version}${COL_NC}"
-            log_write "${CROSS} Error: ${COL_RED}${detected_os^} is supported but version ${detected_version} is currently unsupported (${FAQ_HARDWARE_REQUIREMENTS})${COL_NC}"
-        fi
+    if [ "${digReturnCode}" -ne 0 ]; then
+        log_write "${INFO} Distro: ${detected_os^}"
+        log_write "${INFO} Version: ${detected_version}"
+        log_write "${CROSS} dig return code: ${COL_RED}${digReturnCode}${COL_NC}"
+        log_write "${CROSS} dig response: ${response}"
+        log_write "${CROSS} Error: ${COL_RED}dig command failed - Unable to check OS${COL_NC}"
     else
-        log_write "${CROSS} Distro:  ${COL_RED}${detected_os^}${COL_NC}"
-        log_write "${CROSS} Error: ${COL_RED}${detected_os^} is not a supported distro (${FAQ_HARDWARE_REQUIREMENTS})${COL_NC}"
+        IFS=" " read -r -a supportedOS < <(echo "${response}" | tr -d '"')
+        for distro_and_versions in "${supportedOS[@]}"
+        do
+            distro_part="${distro_and_versions%%=*}"
+            versions_part="${distro_and_versions##*=}"
+
+            if [[ "${detected_os^^}" =~ ${distro_part^^} ]]; then
+                valid_os=true
+                IFS="," read -r -a supportedVer <<<"${versions_part}"
+                for version in "${supportedVer[@]}"
+                do
+                    if [[ "${detected_version}" =~ $version ]]; then
+                        valid_version=true
+                        break
+                    fi
+                done
+                break
+            fi
+        done
+
+        local finalmsg
+        if [ "$valid_os" = true ]; then
+            log_write "${TICK} Distro:  ${COL_GREEN}${detected_os^}${COL_NC}"
+
+            if [ "$valid_version" = true ]; then
+                log_write "${TICK} Version: ${COL_GREEN}${detected_version}${COL_NC}"
+                finalmsg="${TICK} ${COL_GREEN}Distro and version supported${COL_NC}"
+            else
+                log_write "${CROSS} Version: ${COL_RED}${detected_version}${COL_NC}"
+                finalmsg="${CROSS} Error: ${COL_RED}${detected_os^} is supported but version ${detected_version} is currently unsupported ${COL_NC}(${FAQ_HARDWARE_REQUIREMENTS})${COL_NC}"
+            fi
+        else
+            log_write "${CROSS} Distro:  ${COL_RED}${detected_os^}${COL_NC}"
+            finalmsg="${CROSS} Error: ${COL_RED}${detected_os^} is not a supported distro ${COL_NC}(${FAQ_HARDWARE_REQUIREMENTS})${COL_NC}"
+        fi
+
+        # Print dig response and the final check result
+        log_write "${TICK} dig return code: ${COL_GREEN}${digReturnCode}${COL_NC}"
+        log_write "${INFO} dig response: ${response}"
+        log_write "${finalmsg}"
     fi
 }
 
@@ -965,6 +983,20 @@ ftl_full_status(){
     fi
 }
 
+lighttpd_test_configuration(){
+    # let lighttpd test it's own configuration
+    local lighttpd_conf_test
+    echo_current_diagnostic "Lighttpd configuration test"
+    lighttpd_conf_test=$(lighttpd -tt -f /etc/lighttpd/lighttpd.conf)
+    if [ -z "${lighttpd_conf_test}" ]; then
+        # empty output
+        log_write "${TICK} ${COL_GREEN}No error in lighttpd configuration${COL_NC}"
+    else
+        log_write "${CROSS} ${COL_RED}Error in lighttpd configuration${COL_NC}"
+        log_write "   ${lighttpd_conf_test}"
+    fi
+}
+
 make_array_from_file() {
     local filename="${1}"
     # The second argument can put a limit on how many line should be read from the file
@@ -1057,10 +1089,13 @@ dir_check() {
         # check if exists first; if it does,
         if ls "${filename}" 1> /dev/null 2>&1; then
             # do nothing
-            :
+            true
+            return
         else
             # Otherwise, show an error
             log_write "${COL_RED}${directory} does not exist.${COL_NC}"
+            false
+            return
         fi
     done
 }
@@ -1068,6 +1103,19 @@ dir_check() {
 list_files_in_dir() {
     # Set the first argument passed to this function as a named variable for better readability
     local dir_to_parse="${1}"
+
+    # show files and sizes of some directories, don't print the file content (yet)
+    if [[ "${dir_to_parse}" == "${SHM_DIRECTORY}" ]]; then
+        # SHM file - we do not want to see the content, but we want to see the files and their sizes
+        log_write "$(ls -lh "${dir_to_parse}/")"
+    elif [[ "${dir_to_parse}" == "${WEB_SERVER_CONFIG_DIRECTORY_FEDORA}" ]]; then
+        # we want to see all files files in /etc/lighttpd/conf.d
+        log_write "$(ls -lh "${dir_to_parse}/" 2> /dev/null )"
+    elif [[ "${dir_to_parse}" == "${WEB_SERVER_CONFIG_DIRECTORY_DEBIAN}" ]]; then
+        # we want to see all files files in /etc/lighttpd/conf.d
+        log_write "$(ls -lh "${dir_to_parse}/"/ 2> /dev/null )"
+    fi
+
     # Store the files found in an array
     mapfile -t files_found < <(ls "${dir_to_parse}")
     # For each file in the array,
@@ -1083,11 +1131,8 @@ list_files_in_dir() {
             [[ "${dir_to_parse}/${each_file}" == "${PIHOLE_WEB_SERVER_ACCESS_LOG_FILE}" ]] || \
             [[ "${dir_to_parse}/${each_file}" == "${PIHOLE_LOG_GZIPS}" ]]; then
             :
-        elif [[ "${dir_to_parse}" == "${SHM_DIRECTORY}" ]]; then
-            # SHM file - we do not want to see the content, but we want to see the files and their sizes
-            log_write "$(ls -lhd "${dir_to_parse}"/"${each_file}")"
         elif [[ "${dir_to_parse}" == "${DNSMASQ_D_DIRECTORY}" ]]; then
-            # in case of the dnsmasq directory inlcuede all files in the debug output
+            # in case of the dnsmasq directory include all files in the debug output
             log_write "\\n${COL_GREEN}$(ls -lhd "${dir_to_parse}"/"${each_file}")${COL_NC}"
             make_array_from_file "${dir_to_parse}/${each_file}"
         else
@@ -1120,9 +1165,10 @@ show_content_of_files_in_dir() {
     # Set a local variable for better readability
     local directory="${1}"
     # Check if the directory exists
-    dir_check "${directory}"
-    # if it does, list the files in it
-    list_files_in_dir "${directory}"
+    if dir_check "${directory}"; then
+        # if it does, list the files in it
+        list_files_in_dir "${directory}"
+    fi
 }
 
 show_content_of_pihole_files() {
@@ -1130,6 +1176,8 @@ show_content_of_pihole_files() {
     show_content_of_files_in_dir "${PIHOLE_DIRECTORY}"
     show_content_of_files_in_dir "${DNSMASQ_D_DIRECTORY}"
     show_content_of_files_in_dir "${WEB_SERVER_CONFIG_DIRECTORY}"
+    show_content_of_files_in_dir "${WEB_SERVER_CONFIG_DIRECTORY_FEDORA}"
+    show_content_of_files_in_dir "${WEB_SERVER_CONFIG_DIRECTORY_DEBIAN}"
     show_content_of_files_in_dir "${CRON_D_DIRECTORY}"
     show_content_of_files_in_dir "${WEB_SERVER_LOG_DIRECTORY}"
     show_content_of_files_in_dir "${LOG_DIRECTORY}"
@@ -1484,6 +1532,7 @@ check_name_resolution
 check_dhcp_servers
 process_status
 ftl_full_status
+lighttpd_test_configuration
 parse_setup_vars
 check_x_headers
 analyze_ftl_db

advanced/Scripts/query.sh

@@ -30,33 +30,6 @@ gravityDBfile="${GRAVITYDB}"
 colfile="/opt/pihole/COL_TABLE"
 source "${colfile}"
 
-# Scan an array of files for matching strings
-scanList(){
-    # Escape full stops
-    local domain="${1}" esc_domain="${1//./\\.}" lists="${2}" list_type="${3:-}"
-
-    # Prevent grep from printing file path
-    cd "$piholeDir" || exit 1
-
-    # Prevent grep -i matching slowly: https://bit.ly/2xFXtUX
-    export LC_CTYPE=C
-
-    # /dev/null forces filename to be printed when only one list has been generated
-    case "${list_type}" in
-        "exact" ) grep -i -E -l "(^|(?<!#)\\s)${esc_domain}($|\\s|#)" ${lists} /dev/null 2>/dev/null;;
-        # Iterate through each regexp and check whether it matches the domainQuery
-        # If it does, print the matching regexp and continue looping
-        # Input 1 - regexps | Input 2 - domainQuery
-        "regex" )
-            for list in ${lists}; do
-                if [[ "${domain}" =~ ${list} ]]; then
-                    printf "%b\n" "${list}";
-                fi
-            done;;
-        *       ) grep -i "${esc_domain}" ${lists} /dev/null 2>/dev/null;;
-    esac
-}
-
 if [[ "${options}" == "-h" ]] || [[ "${options}" == "--help" ]]; then
     echo "Usage: pihole -q [option] <domain>
 Example: 'pihole -q -exact domain.com'
@@ -77,24 +50,54 @@ fi
 
 # Strip valid options, leaving only the domain and invalid options
 # This allows users to place the options before or after the domain
-options=$(sed -E 's/ ?-(adlists?|all|exact) ?//g' <<< "${options}")
+options=$(sed -E 's/ ?-(all|exact) ?//g' <<< "${options}")
 
 # Handle remaining options
 # If $options contain non ASCII characters, convert to punycode
 case "${options}" in
     ""             ) str="No domain specified";;
     *" "*          ) str="Unknown query option specified";;
-    *[![:ascii:]]* ) domainQuery=$(idn2 "${options}");;
-    *              ) domainQuery="${options}";;
+    *[![:ascii:]]* ) rawDomainQuery=$(idn2 "${options}");;
+    *              ) rawDomainQuery="${options}";;
 esac
 
+# convert the domain to lowercase
+domainQuery=$(echo "${rawDomainQuery}" | tr '[:upper:]' '[:lower:]')
+
 if [[ -n "${str:-}" ]]; then
     echo -e "${str}${COL_NC}\\nTry 'pihole -q --help' for more information."
     exit 1
 fi
 
+# Scan an array of files for matching strings
+scanList(){
+    # Escape full stops
+    local domain="${1}" esc_domain="${1//./\\.}" lists="${2}" list_type="${3:-}"
+
+    # Prevent grep from printing file path
+    cd "$piholeDir" || exit 1
+
+    # Prevent grep -i matching slowly: https://bit.ly/2xFXtUX
+    export LC_CTYPE=C
+
+    # /dev/null forces filename to be printed when only one list has been generated
+    case "${list_type}" in
+        "exact" ) grep -i -E -l "(^|(?<!#)\\s)${esc_domain}($|\\s|#)" "${lists}" /dev/null 2>/dev/null;;
+        # Iterate through each regexp and check whether it matches the domainQuery
+        # If it does, print the matching regexp and continue looping
+        # Input 1 - regexps | Input 2 - domainQuery
+        "regex" )
+            for list in ${lists}; do
+                if [[ "${domain}" =~ ${list} ]]; then
+                    printf "%b\n" "${list}";
+                fi
+            done;;
+        *       ) grep -i "${esc_domain}" "${lists}" /dev/null 2>/dev/null;;
+    esac
+}
+
 scanDatabaseTable() {
-    local domain table list_type querystr result extra
+    local domain table list_type querystr result extra abpquerystr abpfound abpentry searchstr
     domain="$(printf "%q" "${1}")"
     table="${2}"
     list_type="${3:-}"
@@ -104,9 +107,34 @@ scanDatabaseTable() {
     # behavior. The "ESCAPE '\'" clause specifies that an underscore preceded by an '\' should be matched
     # as a literal underscore character. We pretreat the $domain variable accordingly to escape underscores.
     if [[ "${table}" == "gravity" ]]; then
+
+        # Are there ABP entries on gravity?
+        # Return 1 if abp_domain=1 or Zero if abp_domain=0 or not set
+        abpquerystr="SELECT EXISTS (SELECT 1 FROM info WHERE property='abp_domains' and value='1')"
+        abpfound="$(pihole-FTL sqlite3 "${gravityDBfile}" "${abpquerystr}")" 2> /dev/null
+
+        # Create search string for ABP entries only if needed
+        if [ "${abpfound}" -eq 1 ]; then
+            abpentry="${domain}"
+
+            searchstr="'||${abpentry}^'"
+
+            # While a dot is found ...
+            while [ "${abpentry}" != "${abpentry/./}" ]
+            do
+                # ... remove text before the dot (including the dot) and append the result to $searchstr
+                abpentry=$(echo "${abpentry}" | cut -f 2- -d '.')
+                searchstr="$searchstr, '||${abpentry}^'"
+            done
+
+            # The final search string will look like:
+            # "domain IN ('||sub2.sub1.domain.com^', '||sub1.domain.com^', '||domain.com^', '||com^') OR"
+            searchstr="domain IN (${searchstr}) OR "
+        fi
+
         case "${exact}" in
             "exact" ) querystr="SELECT gravity.domain,adlist.address,adlist.enabled FROM gravity LEFT JOIN adlist ON adlist.id = gravity.adlist_id WHERE domain = '${domain}'";;
-            *       ) querystr="SELECT gravity.domain,adlist.address,adlist.enabled FROM gravity LEFT JOIN adlist ON adlist.id = gravity.adlist_id WHERE domain LIKE '%${domain//_/\\_}%' ESCAPE '\\'";;
+            *       ) querystr="SELECT gravity.domain,adlist.address,adlist.enabled FROM gravity LEFT JOIN adlist ON adlist.id = gravity.adlist_id WHERE ${searchstr} domain LIKE '%${domain//_/\\_}%' ESCAPE '\\'";;
         esac
     else
         case "${exact}" in
@@ -116,7 +144,7 @@ scanDatabaseTable() {
     fi
 
     # Send prepared query to gravity database
-    result="$(pihole-FTL sqlite3 "${gravityDBfile}" "${querystr}")" 2> /dev/null
+    result="$(pihole-FTL sqlite3 -separator ',' "${gravityDBfile}" "${querystr}")" 2> /dev/null
     if [[ -z "${result}" ]]; then
         # Return early when there are no matches in this table
         return
@@ -136,8 +164,8 @@ scanDatabaseTable() {
     # Loop over results and print them
     mapfile -t results <<< "${result}"
     for result in "${results[@]}"; do
-        domain="${result/|*}"
-        if [[ "${result#*|}" == "0" ]]; then
+        domain="${result/,*}"
+        if [[ "${result#*,}" == "0" ]]; then
             extra=" (disabled)"
         else
             extra=""
@@ -212,10 +240,10 @@ if [[ -n "${exact}" ]]; then
 fi
 
 for result in "${results[@]}"; do
-    match="${result/|*/}"
-    extra="${result#*|}"
-    adlistAddress="${extra/|*/}"
-    extra="${extra#*|}"
+    match="${result/,*/}"
+    extra="${result#*,}"
+    adlistAddress="${extra/,*/}"
+    extra="${extra#*,}"
     if [[ "${extra}" == "0" ]]; then
         extra=" (disabled)"
     else

advanced/Scripts/utils.sh

@@ -57,7 +57,11 @@ addKey(){
   # touch file to prevent grep error if file does not exist yet
   touch "${file}"
 
-  if ! grep -q "^${key}" "${file}"; then
+  # Match key against entire line, using both anchors. We assume
+  # that the file's keys never have bounding whitespace. Anchors
+  # are necessary to ensure the key is considered absent when it
+  # is a substring of another key present in the file.
+  if ! grep -q "^${key}$" "${file}"; then
     # Key does not exist, add it.
     echo "${key}" >> "${file}"
   fi

advanced/Templates/pihole-FTL-poststop.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env sh
+
+# Source utils.sh for getFTLPIDFile()
+PI_HOLE_SCRIPT_DIR='/opt/pihole'
+utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
+# shellcheck disable=SC1090
+. "${utilsfile}"
+
+# Get file paths
+FTL_PID_FILE="$(getFTLPIDFile)"
+
+# Cleanup
+rm -f /run/pihole/FTL.sock /dev/shm/FTL-* "${FTL_PID_FILE}"

advanced/Templates/pihole-FTL-prestart.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env sh
+
+# Source utils.sh for getFTLPIDFile()
+PI_HOLE_SCRIPT_DIR='/opt/pihole'
+utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
+# shellcheck disable=SC1090
+. "${utilsfile}"
+
+# Get file paths
+FTL_PID_FILE="$(getFTLPIDFile)"
+
+# Touch files to ensure they exist (create if non-existing, preserve if existing)
+# shellcheck disable=SC2174
+mkdir -pm 0755 /run/pihole /var/log/pihole
+[ -f "${FTL_PID_FILE}" ] || install -D -m 644 -o pihole -g pihole /dev/null "${FTL_PID_FILE}"
+[ -f /var/log/pihole/FTL.log ] || install -m 644 -o pihole -g pihole /dev/null /var/log/pihole/FTL.log
+[ -f /var/log/pihole/pihole.log ] || install -m 640 -o pihole -g pihole /dev/null /var/log/pihole/pihole.log
+[ -f /etc/pihole/dhcp.leases ] || install -m 644 -o pihole -g pihole /dev/null /etc/pihole/dhcp.leases
+# Ensure that permissions are set so that pihole-FTL can edit all necessary files
+chown pihole:pihole /run/pihole /etc/pihole /var/log/pihole /var/log/pihole/FTL.log /var/log/pihole/pihole.log /etc/pihole/dhcp.leases
+# Ensure that permissions are set so that pihole-FTL can edit the files. We ignore errors as the file may not (yet) exist
+chmod -f 0644 /etc/pihole/macvendor.db /etc/pihole/dhcp.leases /var/log/pihole/FTL.log
+chmod -f 0640 /var/log/pihole/pihole.log
+# Chown database files to the user FTL runs as. We ignore errors as the files may not (yet) exist
+chown -f pihole:pihole /etc/pihole/pihole-FTL.db /etc/pihole/gravity.db /etc/pihole/macvendor.db
+# Chmod database file permissions so that the pihole group (web interface) can edit the file. We ignore errors as the files may not (yet) exist
+chmod -f 0664 /etc/pihole/pihole-FTL.db
+
+# Backward compatibility for user-scripts that still expect log files in /var/log instead of /var/log/pihole
+# Should be removed with Pi-hole v6.0
+if [ ! -f /var/log/pihole.log ]; then
+    ln -sf /var/log/pihole/pihole.log /var/log/pihole.log
+    chown -h pihole:pihole /var/log/pihole.log
+fi
+if [ ! -f /var/log/pihole-FTL.log ]; then
+    ln -sf /var/log/pihole/FTL.log /var/log/pihole-FTL.log
+    chown -h pihole:pihole /var/log/pihole-FTL.log
+fi

advanced/Templates/pihole-FTL.service

@@ -9,9 +9,10 @@
 # Description:       Enable service provided by pihole-FTL daemon
 ### END INIT INFO
 
-#source utils.sh for getFTLPIDFile(), getFTLPID ()
+# Source utils.sh for getFTLPIDFile(), getFTLPID()
 PI_HOLE_SCRIPT_DIR="/opt/pihole"
 utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
+# shellcheck disable=SC1090
 . "${utilsfile}"
 
 
@@ -22,45 +23,31 @@ is_running() {
   return 1
 }
 
+cleanup() {
+    # Run post-stop script, which does cleanup among runtime files
+    sh "${PI_HOLE_SCRIPT_DIR}/pihole-FTL-poststop.sh"
+}
+
 
 # Start the service
 start() {
   if is_running; then
     echo "pihole-FTL is already running"
   else
-    # Touch files to ensure they exist (create if non-existing, preserve if existing)
-    mkdir -pm 0755 /run/pihole /var/log/pihole
-    [ ! -f "${FTL_PID_FILE}" ] && install -D -m 644 -o pihole -g pihole /dev/null "${FTL_PID_FILE}"
-    [ ! -f /var/log/pihole/FTL.log ] && install -m 644 -o pihole -g pihole /dev/null /var/log/pihole/FTL.log
-    [ ! -f /var/log/pihole/pihole.log ] && install -m 640 -o pihole -g pihole /dev/null /var/log/pihole/pihole.log
-    [ ! -f /etc/pihole/dhcp.leases ] && install -m 644 -o pihole -g pihole /dev/null /etc/pihole/dhcp.leases
-    # Ensure that permissions are set so that pihole-FTL can edit all necessary files
-    chown pihole:pihole /run/pihole /etc/pihole /var/log/pihole /var/log/pihole/FTL.log /var/log/pihole/pihole.log /etc/pihole/dhcp.leases
-    # Ensure that permissions are set so that pihole-FTL can edit the files. We ignore errors as the file may not (yet) exist
-    chmod -f 0644 /etc/pihole/macvendor.db /etc/pihole/dhcp.leases /var/log/pihole/FTL.log
-    chmod -f 0640 /var/log/pihole/pihole.log
-    # Chown database files to the user FTL runs as. We ignore errors as the files may not (yet) exist
-    chown -f pihole:pihole /etc/pihole/pihole-FTL.db /etc/pihole/gravity.db /etc/pihole/macvendor.db
-    # Chown database file permissions so that the pihole group (web interface) can edit the file. We ignore errors as the files may not (yet) exist
-    chmod -f 0664 /etc/pihole/pihole-FTL.db
-
-    # Backward compatibility for user-scripts that still expect log files in /var/log instead of /var/log/pihole/
-    # Should be removed with Pi-hole v6.0
-    if [ ! -f /var/log/pihole.log ]; then
-        ln -s /var/log/pihole/pihole.log /var/log/pihole.log
-        chown -h pihole:pihole /var/log/pihole.log
-
-    fi
-    if [ ! -f /var/log/pihole-FTL.log ]; then
-        ln -s /var/log/pihole/FTL.log /var/log/pihole-FTL.log
-        chown -h pihole:pihole /var/log/pihole-FTL.log
-    fi
+    # Run pre-start script, which pre-creates all expected files with correct permissions
+    sh "${PI_HOLE_SCRIPT_DIR}/pihole-FTL-prestart.sh"
 
     if setcap CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_NICE,CAP_IPC_LOCK,CAP_CHOWN+eip "/usr/bin/pihole-FTL"; then
-      su -s /bin/sh -c "/usr/bin/pihole-FTL" pihole || exit $?
+      su -s /bin/sh -c "/usr/bin/pihole-FTL" pihole
     else
       echo "Warning: Starting pihole-FTL as root because setting capabilities is not supported on this system"
-      /usr/bin/pihole-FTL || exit $?
+      /usr/bin/pihole-FTL
+    fi
+    rc=$?
+    # Cleanup if startup failed
+    if [ "${rc}" != 0 ]; then
+        cleanup
+        exit $rc
     fi
     echo
   fi
@@ -89,8 +76,7 @@ stop() {
   else
     echo "Not running"
   fi
-  # Cleanup
-  rm -f /run/pihole/FTL.sock /dev/shm/FTL-* "${FTL_PID_FILE}"
+  cleanup
   echo
 }
 
@@ -108,11 +94,14 @@ status() {
 
 ### main logic ###
 
-# Get file paths
+# catch sudden termination
+trap 'cleanup; exit 1' INT HUP TERM ABRT
+
+# Get FTL's PID file path
 FTL_PID_FILE="$(getFTLPIDFile)"
 
 # Get FTL's current PID
-FTL_PID="$(getFTLPID ${FTL_PID_FILE})"
+FTL_PID="$(getFTLPID "${FTL_PID_FILE}")"
 
 case "$1" in
   stop)

advanced/Templates/pihole-FTL.systemd

@@ -0,0 +1,41 @@
+[Unit]
+Description=Pi-hole FTL
+# This unit is supposed to indicate when network functionality is available, but it is only
+# very weakly defined what that is supposed to mean, with one exception: at shutdown, a unit
+# that is ordered after network-online.target will be stopped before the network
+Wants=network-online.target
+After=network-online.target
+# A target that should be used as synchronization point for all host/network name service lookups.
+# All services for which the availability of full host/network name resolution is essential should
+# be ordered after this target, but not pull it in.
+Wants=nss-lookup.target
+Before=nss-lookup.target
+
+# Limit (re)start loop to 5 within 1 minute
+StartLimitBurst=5
+StartLimitIntervalSec=60s
+
+[Service]
+User=pihole
+PermissionsStartOnly=true
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_NICE CAP_IPC_LOCK CAP_CHOWN
+
+ExecStartPre=/opt/pihole/pihole-FTL-prestart.sh
+ExecStart=/usr/bin/pihole-FTL -f
+Restart=on-failure
+RestartSec=5s
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStopPost=/opt/pihole/pihole-FTL-poststop.sh
+
+# Use graceful shutdown with a reasonable timeout
+TimeoutStopSec=10s
+
+# Make /usr, /boot, /etc and possibly some more folders read-only...
+ProtectSystem=full
+# ... except /etc/pihole
+# This merely retains r/w access rights, it does not add any new.
+# Must still be writable on the host!
+ReadWriteDirectories=/etc/pihole
+
+[Install]
+WantedBy=multi-user.target

advanced/index.php

@@ -1,81 +0,0 @@
-<?php
-/* Pi-hole: A black hole for Internet advertisements
-*  (c) 2017 Pi-hole, LLC (https://pi-hole.net)
-*  Network-wide ad blocking via your own hardware.
-*
-*  This file is copyright under the latest version of the EUPL.
-*  Please see LICENSE file for your rights under this license. */
-
-// Sanitize SERVER_NAME output
-$serverName = htmlspecialchars($_SERVER["SERVER_NAME"]);
-// Remove external ipv6 brackets if any
-$serverName = preg_replace('/^\[(.*)\]$/', '${1}', $serverName);
-
-// Set landing page location, found within /var/www/html/
-$landPage = "../landing.php";
-
-// Define array for hostnames to be accepted as self address for splash page
-$authorizedHosts = [ "localhost" ];
-if (!empty($_SERVER["FQDN"])) {
-    // If setenv.add-environment = ("fqdn" => "true") is configured in lighttpd,
-    // append $serverName to $authorizedHosts
-    array_push($authorizedHosts, $serverName);
-} else if (!empty($_SERVER["VIRTUAL_HOST"])) {
-    // Append virtual hostname to $authorizedHosts
-    array_push($authorizedHosts, $_SERVER["VIRTUAL_HOST"]);
-}
-
-// Determine block page type
-if ($serverName === "pi.hole"
-    || (!empty($_SERVER["VIRTUAL_HOST"]) && $serverName === $_SERVER["VIRTUAL_HOST"])) {
-    // Redirect to Web Interface
-    header("Location: /admin");
-    exit();
-} elseif (filter_var($serverName, FILTER_VALIDATE_IP) || in_array($serverName, $authorizedHosts)) {
-    // When directly browsing via IP or authorized hostname
-    // Render splash/landing page based off presence of $landPage file
-    // Unset variables so as to not be included in $landPage or $splashPage
-    unset($authorizedHosts);
-    // If $landPage file is present
-    if (is_file(getcwd()."/$landPage")) {
-        unset($serverName, $viewPort); // unset extra variables not to be included in $landpage
-        include $landPage;
-        exit();
-    }
-    // If $landPage file was not present, Set Splash Page output
-    $splashPage = <<<EOT
-    <!doctype html>
-    <html lang='en'>
-        <head>
-            <meta charset='utf-8'>
-            <meta name='viewport' content='width=device-width, initial-scale=1'>
-            <title>● $serverName</title>
-            <link rel='shortcut icon' href='/admin/img/favicons/favicon.ico' type='image/x-icon'>
-            <style>
-                html, body { height: 100% }
-                body { margin: 0; font: 13pt "Source Sans Pro", "Helvetica Neue", Helvetica, Arial, sans-serif; }
-                body { background: #222; color: rgba(255, 255, 255, 0.7); text-align: center; }
-                p { margin: 0; }
-                a { color: #3c8dbc; text-decoration: none; }
-                a:hover { color: #72afda; text-decoration: underline; }
-                #splashpage { display: flex; align-items: center; justify-content: center; }
-                #splashpage img { margin: 5px; width: 256px; }
-                #splashpage b { color: inherit; }
-            </style>
-        </head>
-        <body id='splashpage'>
-            <div>
-            <img src='/admin/img/logo.svg' alt='Pi-hole logo' width='256' height='377'>
-            <br>
-            <p>Pi-<strong>hole</strong>: Your black hole for Internet advertisements</p>
-            <a href='/admin'>Did you mean to go to the admin panel?</a>
-            </div>
-        </body>
-    </html>
-EOT;
-    exit($splashPage);
-}
-
-header("HTTP/1.1 404 Not Found");
-exit();
-?>

advanced/lighttpd.conf.debian

@@ -7,17 +7,18 @@
 # This file is copyright under the latest version of the EUPL.
 # Please see LICENSE file for your rights under this license.
 
-###############################################################################
-#     FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE.     #
-# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
-#                                                                             #
-#              CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE:              #
-#                         /etc/lighttpd/external.conf                         #
-###############################################################################
+###################################################################################################
+#   IF THIS HEADER EXISTS, THE FILE WILL BE OVERWRITTEN BY PI-HOLE'S UPDATE PROCEDURE.            #
+#   ANY CHANGES MADE TO THIS FILE WILL BE LOST ON THE NEXT UPDATE UNLESS YOU REMOVE THIS HEADER   #
+#                                                                                                 #
+#   ENSURE THAT YOU DO NOT REMOVE THE REQUIRED LINE:                                              #
+#                                                                                                 #
+#   include "/etc/lighttpd/conf-enabled/*.conf"                                                   #
+#                                                                                                 #
+###################################################################################################
 
 server.modules = (
     "mod_access",
-    "mod_accesslog",
     "mod_auth",
     "mod_expire",
     "mod_redirect",
@@ -26,7 +27,6 @@ server.modules = (
 )
 
 server.document-root        = "/var/www/html"
-server.error-handler-404    = "/pihole/index.php"
 server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
 server.errorlog             = "/var/log/lighttpd/error-pihole.log"
 server.pid-file             = "/run/lighttpd.pid"
@@ -35,8 +35,6 @@ server.groupname            = "www-data"
 # For lighttpd version 1.4.46 or above, the port can be overwritten in `/etc/lighttpd/external.conf` using the := operator
 # e.g. server.port := 8000
 server.port                 = 80
-accesslog.filename          = "/var/log/lighttpd/access-pihole.log"
-accesslog.format            = "%{%s}t|%V|%r|%s|%b"
 
 # Allow streaming response
 # reference: https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_stream-response-bodyDetails
@@ -67,48 +65,9 @@ mimetype.assign = (
     ".woff2" => "font/woff2"
 )
 
-# Add user chosen options held in external file
-# This uses include_shell instead of an include wildcard for compatibility
-include_shell "cat external.conf 2>/dev/null"
+# Add user chosen options held in (optional) external file
+include "external*.conf"
 
 # default listening port for IPv6 falls back to the IPv4 port
 include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
-
-# Prevent Lighttpd from enabling Let's Encrypt SSL for every blocked domain
-#include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
-include_shell "find /etc/lighttpd/conf-enabled -name '*.conf' -a ! -name 'letsencrypt.conf' -printf 'include \"%p\"\n' 2>/dev/null"
-
-# If the URL starts with /admin, it is the Web interface
-$HTTP["url"] =~ "^/admin/" {
-    # X-Pi-hole is a response header for debugging using curl -I
-    # X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >.
-    # X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input.
-    # X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code.
-    # Content-Security-Policy tells the browser where resources are allowed to be loaded and if it’s allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS).
-    # X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.
-    # Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all.
-    setenv.add-response-header = (
-        "X-Pi-hole" => "The Pi-hole Web interface is working!",
-        "X-Frame-Options" => "DENY",
-        "X-XSS-Protection" => "1; mode=block",
-        "X-Content-Type-Options" => "nosniff",
-        "Content-Security-Policy" => "default-src 'self' 'unsafe-inline';",
-        "X-Permitted-Cross-Domain-Policies" => "none",
-        "Referrer-Policy" => "same-origin"
-    )
-}
-
-# Block . files from being served, such as .git, .github, .gitignore
-$HTTP["url"] =~ "^/admin/\.(.*)" {
-    url.access-deny = ("")
-}
-
-# allow teleporter and API qr code iframe on settings page
-$HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
-    $HTTP["referer"] =~ "/admin/settings\.php" {
-        setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
-    }
-}
-
-# Default expire header
-expire.url = ( "" => "access plus 0 seconds" )
+include "/etc/lighttpd/conf-enabled/*.conf"

advanced/lighttpd.conf.fedora

@@ -7,13 +7,15 @@
 # This file is copyright under the latest version of the EUPL.
 # Please see LICENSE file for your rights under this license.
 
-###############################################################################
-#     FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE.     #
-# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
-#                                                                             #
-#              CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE:              #
-#                         /etc/lighttpd/external.conf                         #
-###############################################################################
+###################################################################################################
+#   IF THIS HEADER EXISTS, THE FILE WILL BE OVERWRITTEN BY PI-HOLE'S UPDATE PROCEDURE.            #
+#   ANY CHANGES MADE TO THIS FILE WILL BE LOST ON THE NEXT UPDATE UNLESS YOU REMOVE THIS HEADER   #
+#                                                                                                 #
+#   ENSURE THAT YOU DO NOT REMOVE THE REQUIRED LINE:                                              #
+#                                                                                                 #
+#   include "/etc/lighttpd/conf.d/pihole-admin.conf"                                              #
+#                                                                                                 #
+###################################################################################################
 
 server.modules = (
     "mod_access",
@@ -27,7 +29,6 @@ server.modules = (
 )
 
 server.document-root        = "/var/www/html"
-server.error-handler-404    = "/pihole/index.php"
 server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
 server.errorlog             = "/var/log/lighttpd/error-pihole.log"
 server.pid-file             = "/run/lighttpd.pid"
@@ -36,8 +37,6 @@ server.groupname            = "lighttpd"
 # For lighttpd version 1.4.46 or above, the port can be overwritten in `/etc/lighttpd/external.conf` using the := operator
 # e.g. server.port := 8000
 server.port                 = 80
-accesslog.filename          = "/var/log/lighttpd/access-pihole.log"
-accesslog.format            = "%{%s}t|%V|%r|%s|%b"
 
 # Allow streaming response
 # reference: https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_stream-response-bodyDetails
@@ -68,9 +67,8 @@ mimetype.assign = (
     ".woff2" => "font/woff2"
 )
 
-# Add user chosen options held in external file
-# This uses include_shell instead of an include wildcard for compatibility
-include_shell "cat external.conf 2>/dev/null"
+# Add user chosen options held in (optional) external file
+include "external*.conf"
 
 # default listening port for IPv6 falls back to the IPv4 port
 #include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
@@ -86,37 +84,4 @@ fastcgi.server = (
     )
 )
 
-# If the URL starts with /admin, it is the Web interface
-$HTTP["url"] =~ "^/admin/" {
-    # X-Pi-hole is a response header for debugging using curl -I
-    # X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >.
-    # X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input.
-    # X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code.
-    # Content-Security-Policy tells the browser where resources are allowed to be loaded and if it’s allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS).
-    # X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.
-    # Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all.
-    setenv.add-response-header = (
-        "X-Pi-hole" => "The Pi-hole Web interface is working!",
-        "X-Frame-Options" => "DENY",
-        "X-XSS-Protection" => "1; mode=block",
-        "X-Content-Type-Options" => "nosniff",
-        "Content-Security-Policy" => "default-src 'self' 'unsafe-inline';",
-        "X-Permitted-Cross-Domain-Policies" => "none",
-        "Referrer-Policy" => "same-origin"
-    )
-}
-
-# Block . files from being served, such as .git, .github, .gitignore
-$HTTP["url"] =~ "^/admin/\.(.*)" {
-    url.access-deny = ("")
-}
-
-# allow teleporter and API qr code iframe on settings page
-$HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
-    $HTTP["referer"] =~ "/admin/settings\.php" {
-        setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
-    }
-}
-
-# Default expire header
-expire.url = ( "" => "access plus 0 seconds" )
+include "/etc/lighttpd/conf.d/pihole-admin.conf"

advanced/pihole-admin.conf

@@ -0,0 +1,82 @@
+# Pi-hole: A black hole for Internet advertisements
+# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
+# Network-wide ad blocking via your own hardware.
+#
+# Lighttpd config for Pi-hole
+#
+# This file is copyright under the latest version of the EUPL.
+# Please see LICENSE file for your rights under this license.
+
+###############################################################################
+#     FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE.     #
+# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
+###############################################################################
+
+server.errorlog := "/var/log/lighttpd/error-pihole.log"
+
+$HTTP["url"] =~ "^/admin/" {
+    server.document-root = "/var/www/html"
+    server.stream-response-body = 1
+    accesslog.filename = "/var/log/lighttpd/access-pihole.log"
+    accesslog.format = "%{%s}t|%h|%V|%r|%s|%b"
+
+    fastcgi.server = (
+        ".php" => (
+            "localhost" => (
+                "socket" => "/run/lighttpd/pihole-php-fastcgi.socket",
+                "bin-path" => "/usr/bin/php-cgi",
+                "min-procs" => 1,
+                "max-procs" => 1,
+                "bin-environment" => (
+                    "PHP_FCGI_CHILDREN" => "4",
+                    "PHP_FCGI_MAX_REQUESTS" => "10000",
+                ),
+                "bin-copy-environment" => (
+                    "PATH", "SHELL", "USER"
+                ),
+                "broken-scriptfilename" => "enable",
+            )
+        )
+    )
+
+    # X-Pi-hole is a response header for debugging using curl -I
+    # X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >.
+    # X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input. (deprecated; disabled)
+    # X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code.
+    # Content-Security-Policy tells the browser where resources are allowed to be loaded and if it’s allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS).
+    # X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.
+    # Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all.
+    setenv.add-response-header = (
+        "X-Pi-hole" => "The Pi-hole Web interface is working!",
+        "X-Frame-Options" => "DENY",
+        "X-XSS-Protection" => "0",
+        "X-Content-Type-Options" => "nosniff",
+        "Content-Security-Policy" => "default-src 'self' 'unsafe-inline';",
+        "X-Permitted-Cross-Domain-Policies" => "none",
+        "Referrer-Policy" => "same-origin"
+    )
+
+    # Block . files from being served, such as .git, .github, .gitignore
+    $HTTP["url"] =~ "^/admin/\." {
+        url.access-deny = ("")
+    }
+
+    # allow teleporter and API qr code iframe on settings page
+    $HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
+        $HTTP["referer"] =~ "/admin/settings\.php" {
+            setenv.set-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
+        }
+    }
+}
+else $HTTP["url"] == "/admin" {
+    url.redirect = ("" => "/admin/")
+}
+
+$HTTP["host"] == "pi.hole" {
+    $HTTP["url"] == "/" {
+        url.redirect = ("" => "/admin/")
+    }
+}
+
+# (keep this on one line for basic-install.sh filtering during install)
+server.modules += ( "mod_access", "mod_accesslog", "mod_redirect", "mod_fastcgi", "mod_setenv" )

automated install/basic-install.sh

@@ -82,7 +82,6 @@ PI_HOLE_FILES=(chronometer list piholeDebug piholeLogFlush setupLCD update versi
 PI_HOLE_INSTALL_DIR="/opt/pihole"
 PI_HOLE_CONFIG_DIR="/etc/pihole"
 PI_HOLE_BIN_DIR="/usr/local/bin"
-PI_HOLE_404_DIR="${webroot}/pihole"
 FTL_CONFIG_FILE="${PI_HOLE_CONFIG_DIR}/pihole-FTL.conf"
 if [ -z "$useUpdateVars" ]; then
     useUpdateVars=false
@@ -1380,37 +1379,96 @@ installConfigs() {
         fi
     fi
 
-    # Install pihole-FTL.service
-    install -T -m 0755 "${PI_HOLE_LOCAL_REPO}/advanced/Templates/pihole-FTL.service" "/etc/init.d/pihole-FTL"
+    # Install pihole-FTL systemd or init.d service, based on whether systemd is the init system or not
+    # Follow debhelper logic, which checks for /run/systemd/system to derive whether systemd is the init system
+    if [[ -d '/run/systemd/system' ]]; then
+        install -T -m 0644 "${PI_HOLE_LOCAL_REPO}/advanced/Templates/pihole-FTL.systemd" '/etc/systemd/system/pihole-FTL.service'
+
+        # Remove init.d service if present
+        if [[ -e '/etc/init.d/pihole-FTL' ]]; then
+            rm '/etc/init.d/pihole-FTL'
+            update-rc.d pihole-FTL remove
+        fi
+
+        # Load final service
+        systemctl daemon-reload
+    else
+        install -T -m 0755 "${PI_HOLE_LOCAL_REPO}/advanced/Templates/pihole-FTL.service" '/etc/init.d/pihole-FTL'
+    fi
+    install -T -m 0755 "${PI_HOLE_LOCAL_REPO}/advanced/Templates/pihole-FTL-prestart.sh" "${PI_HOLE_INSTALL_DIR}/pihole-FTL-prestart.sh"
+    install -T -m 0755 "${PI_HOLE_LOCAL_REPO}/advanced/Templates/pihole-FTL-poststop.sh" "${PI_HOLE_INSTALL_DIR}/pihole-FTL-poststop.sh"
 
     # If the user chose to install the dashboard,
     if [[ "${INSTALL_WEB_SERVER}" == true ]]; then
-        # and if the Web server conf directory does not exist,
-        if [[ ! -d "/etc/lighttpd" ]]; then
-            # make it and set the owners
-            install -d -m 755 -o "${USER}" -g root /etc/lighttpd
-        # Otherwise, if the config file already exists
-        elif [[ -f "${lighttpdConfig}" ]]; then
-            # back up the original
-            mv "${lighttpdConfig}"{,.orig}
-        fi
-        # and copy in the config file Pi-hole needs
-        install -D -m 644 -T ${PI_HOLE_LOCAL_REPO}/advanced/${LIGHTTPD_CFG} "${lighttpdConfig}"
-        # Make sure the external.conf file exists, as lighttpd v1.4.50 crashes without it
-        if [ ! -f /etc/lighttpd/external.conf ]; then
-            install -m 644 /dev/null /etc/lighttpd/external.conf
-        fi
-        # If there is a custom block page in the html/pihole directory, replace 404 handler in lighttpd config
-        if [[ -f "${PI_HOLE_404_DIR}/custom.php" ]]; then
-            sed -i 's/^\(server\.error-handler-404\s*=\s*\).*$/\1"\/pihole\/custom\.php"/' "${lighttpdConfig}"
-        fi
-        # Make the directories if they do not exist and set the owners
+        # set permissions on /etc/lighttpd/lighttpd.conf so pihole user (other) can read the file
+        chmod o+x /etc/lighttpd
+        chmod o+r "${lighttpdConfig}"
+
+        # Ensure /run/lighttpd exists and is owned by lighttpd user
+        # Needed for the php socket
         mkdir -p /run/lighttpd
         chown ${LIGHTTPD_USER}:${LIGHTTPD_GROUP} /run/lighttpd
-        mkdir -p /var/cache/lighttpd/compress
-        chown ${LIGHTTPD_USER}:${LIGHTTPD_GROUP} /var/cache/lighttpd/compress
-        mkdir -p /var/cache/lighttpd/uploads
-        chown ${LIGHTTPD_USER}:${LIGHTTPD_GROUP} /var/cache/lighttpd/uploads
+
+        if grep -q -F "OVERWRITTEN BY PI-HOLE" "${lighttpdConfig}"; then
+            # Attempt to preserve backwards compatibility with older versions
+            install -D -m 644 -T ${PI_HOLE_LOCAL_REPO}/advanced/${LIGHTTPD_CFG} "${lighttpdConfig}"
+            # Make the directories if they do not exist and set the owners
+            mkdir -p /var/cache/lighttpd/compress
+            chown ${LIGHTTPD_USER}:${LIGHTTPD_GROUP} /var/cache/lighttpd/compress
+            mkdir -p /var/cache/lighttpd/uploads
+            chown ${LIGHTTPD_USER}:${LIGHTTPD_GROUP} /var/cache/lighttpd/uploads
+        fi
+        # Copy the config file to include for pihole admin interface
+        if [[ -d "/etc/lighttpd/conf.d" ]]; then
+            install -D -m 644 -T ${PI_HOLE_LOCAL_REPO}/advanced/pihole-admin.conf /etc/lighttpd/conf.d/pihole-admin.conf
+            if grep -q -F 'include "/etc/lighttpd/conf.d/pihole-admin.conf"' "${lighttpdConfig}"; then
+                :
+            else
+                echo 'include "/etc/lighttpd/conf.d/pihole-admin.conf"' >> "${lighttpdConfig}"
+            fi
+            # Avoid some warnings trace from lighttpd, which might break tests
+            conf=/etc/lighttpd/conf.d/pihole-admin.conf
+            if lighttpd -f "${lighttpdConfig}" -tt 2>&1 | grep -q -F "WARNING: unknown config-key: dir-listing\."; then
+                echo '# Avoid some warnings trace from lighttpd, which might break tests' >> $conf
+                echo 'server.modules += ( "mod_dirlisting" )' >> $conf
+            fi
+            if lighttpd -f "${lighttpdConfig}" -tt 2>&1 | grep -q -F "warning: please use server.use-ipv6"; then
+                echo '# Avoid some warnings trace from lighttpd, which might break tests' >> $conf
+                echo 'server.use-ipv6 := "disable"' >> $conf
+            fi
+        elif [[ -d "/etc/lighttpd/conf-available" ]]; then
+            conf=/etc/lighttpd/conf-available/15-pihole-admin.conf
+            install -D -m 644 -T ${PI_HOLE_LOCAL_REPO}/advanced/pihole-admin.conf $conf
+
+            # Get the version number of lighttpd
+            version=$(dpkg-query -f='${Version}\n' --show lighttpd)
+            # Test if that version is greater than or euqal to 1.4.56
+            if dpkg --compare-versions "$version" "ge" "1.4.56"; then
+                # If it is, then we don't need to disable the modules
+                # (server.modules duplication is ignored in lighttpd 1.4.56+)
+                :
+            else
+                # disable server.modules += ( ... ) in $conf to avoid module dups
+                if awk '!/^server\.modules/{print}' $conf > $conf.$$ && mv $conf.$$ $conf; then
+                :
+                else
+                    rm $conf.$$
+                fi
+            fi
+
+            chmod 644 $conf
+            if is_command lighty-enable-mod ; then
+                lighty-enable-mod pihole-admin access accesslog redirect fastcgi setenv > /dev/null || true
+            else
+                # Otherwise, show info about installing them
+                printf "  %b Warning: 'lighty-enable-mod' utility not found\\n" "${INFO}"
+                printf "      Please ensure fastcgi is enabled if you experience issues\\n"
+            fi
+        else
+            # lighttpd config include dir not found
+            printf "  %b Warning: lighttpd config include dir not found\\n" "${INFO}"
+            printf "      Please manually install pihole-admin.conf\\n"
+        fi
     fi
 }
 
@@ -1661,30 +1719,6 @@ install_dependent_packages() {
 
 # Install the Web interface dashboard
 installPiholeWeb() {
-    printf "\\n  %b Installing 404 page...\\n" "${INFO}"
-
-    local str="Creating directory for 404 page, and copying files"
-    printf "  %b %s..." "${INFO}" "${str}"
-    # Install the directory
-    install -d -m 0755 ${PI_HOLE_404_DIR}
-    # and the 404 handler
-    install -D -m 644 ${PI_HOLE_LOCAL_REPO}/advanced/index.php ${PI_HOLE_404_DIR}/
-
-    printf "%b  %b %s\\n" "${OVER}" "${TICK}" "${str}"
-
-    local str="Backing up index.lighttpd.html"
-    printf "  %b %s..." "${INFO}" "${str}"
-    # If the default index file exists,
-    if [[ -f "${webroot}/index.lighttpd.html" ]]; then
-        # back it up
-        mv ${webroot}/index.lighttpd.html ${webroot}/index.lighttpd.orig
-        printf "%b  %b %s\\n" "${OVER}" "${TICK}" "${str}"
-    else
-        # Otherwise, don't do anything
-        printf "%b  %b %s\\n" "${OVER}" "${INFO}" "${str}"
-        printf "      No default index.lighttpd.html file found... not backing up\\n"
-    fi
-
     # Install Sudoers file
     local str="Installing sudoer file"
     printf "\\n  %b %s..." "${INFO}" "${str}"
@@ -1760,20 +1794,35 @@ create_pihole_user() {
     else
         # If the pihole user doesn't exist,
         printf "%b  %b %s" "${OVER}" "${CROSS}" "${str}"
-        local str="Creating user 'pihole'"
-        printf "%b  %b %s..." "${OVER}" "${INFO}" "${str}"
-        # create her with the useradd command,
+        local str="Checking for group 'pihole'"
+        printf "  %b %s..." "${INFO}" "${str}"
         if getent group pihole > /dev/null 2>&1; then
-            # then add her to the pihole group (as it already exists)
+            # group pihole exists
+            printf "%b  %b %s\\n" "${OVER}" "${TICK}" "${str}"
+            # then create and add her to the pihole group
+            local str="Creating user 'pihole'"
+            printf "%b  %b %s..." "${OVER}" "${INFO}" "${str}"
             if useradd -r --no-user-group -g pihole -s /usr/sbin/nologin pihole; then
                 printf "%b  %b %s\\n" "${OVER}" "${TICK}" "${str}"
             else
                 printf "%b  %b %s\\n" "${OVER}" "${CROSS}" "${str}"
             fi
         else
-            # add user pihole with default group settings
-            if useradd -r -s /usr/sbin/nologin pihole; then
+            # group pihole does not exist
+            printf "%b  %b %s\\n" "${OVER}" "${CROSS}" "${str}"
+            local str="Creating group 'pihole'"
+            # if group can be created
+            if groupadd pihole; then
                 printf "%b  %b %s\\n" "${OVER}" "${TICK}" "${str}"
+                # create and add pihole user to the pihole group
+                local str="Creating user 'pihole'"
+                printf "%b  %b %s..." "${OVER}" "${INFO}" "${str}"
+                if useradd -r --no-user-group -g pihole -s /usr/sbin/nologin pihole; then
+                    printf "%b  %b %s\\n" "${OVER}" "${TICK}" "${str}"
+                else
+                    printf "%b  %b %s\\n" "${OVER}" "${CROSS}" "${str}"
+                fi
+
             else
                 printf "%b  %b %s\\n" "${OVER}" "${CROSS}" "${str}"
             fi
@@ -1872,15 +1921,6 @@ installPihole() {
             # Give lighttpd access to the pihole group so the web interface can
             # manage the gravity.db database
             usermod -a -G pihole ${LIGHTTPD_USER}
-            # If the lighttpd command is executable,
-            if is_command lighty-enable-mod ; then
-                # enable fastcgi and fastcgi-php
-                lighty-enable-mod fastcgi fastcgi-php > /dev/null || true
-            else
-                # Otherwise, show info about installing them
-                printf "  %b Warning: 'lighty-enable-mod' utility not found\\n" "${INFO}"
-                printf "      Please ensure fastcgi is enabled if you experience issues\\n"
-            fi
         fi
     fi
     # Install base files and web interface
@@ -2572,7 +2612,8 @@ main() {
 
         # Get the privacy level if it exists (default is 0)
         if [[ -f "${FTL_CONFIG_FILE}" ]]; then
-            PRIVACY_LEVEL=$(sed -ne 's/PRIVACYLEVEL=\(.*\)/\1/p' "${FTL_CONFIG_FILE}")
+            # get the value from $FTL_CONFIG_FILE (and ignoring all commented lines)
+            PRIVACY_LEVEL=$(sed -e '/^[[:blank:]]*#/d' "${FTL_CONFIG_FILE}" | grep "PRIVACYLEVEL" | awk -F "=" 'NR==1{printf$2}')
 
             # If no setting was found, default to 0
             PRIVACY_LEVEL="${PRIVACY_LEVEL:-0}"

automated install/uninstall.sh

@@ -131,6 +131,7 @@ removeNoPurge() {
     fi
 
     if package_check lighttpd > /dev/null; then
+        # Attempt to preserve backwards compatibility with older versions
         if [[ -f /etc/lighttpd/lighttpd.conf.orig ]]; then
             ${SUDO} mv /etc/lighttpd/lighttpd.conf.orig /etc/lighttpd/lighttpd.conf
         fi
@@ -139,6 +140,29 @@ removeNoPurge() {
             ${SUDO} rm /etc/lighttpd/external.conf
         fi
 
+        # Fedora-based
+        if [[ -f /etc/lighttpd/conf.d/pihole-admin.conf ]]; then
+            ${SUDO} rm /etc/lighttpd/conf.d/pihole-admin.conf
+            conf=/etc/lighttpd/lighttpd.conf
+            tconf=/tmp/lighttpd.conf.$$
+            if awk '!/^include "\/etc\/lighttpd\/conf\.d\/pihole-admin\.conf"$/{print}' \
+              $conf > $tconf && mv $tconf $conf; then
+                :
+            else
+                rm $tconf
+            fi
+            ${SUDO} chown root:root $conf
+            ${SUDO} chmod 644 $conf
+        fi
+
+        # Debian-based
+        if [[ -f /etc/lighttpd/conf-available/pihole-admin.conf ]]; then
+            if is_command lighty-disable-mod ; then
+                ${SUDO} lighty-disable-mod pihole-admin > /dev/null || true
+            fi
+            ${SUDO} rm /etc/lighttpd/conf-available/15-pihole-admin.conf
+        fi
+
         echo -e "  ${TICK} Removed lighttpd configs"
     fi
 
@@ -169,6 +193,18 @@ removeNoPurge() {
         else
             service pihole-FTL stop
         fi
+        ${SUDO} rm -f /etc/systemd/system/pihole-FTL.service
+        if [[ -d '/etc/systemd/system/pihole-FTL.service.d' ]]; then
+            read -rp "  ${QST} FTL service override directory /etc/systemd/system/pihole-FTL.service.d detected. Do you wish to remove this from your system? [y/N] " answer
+            case $answer in
+                [yY]*)
+                    echo -ne "  ${INFO} Removing /etc/systemd/system/pihole-FTL.service.d..."
+                    ${SUDO} rm -R /etc/systemd/system/pihole-FTL.service.d
+                    echo -e "${OVER}  ${INFO} Removed /etc/systemd/system/pihole-FTL.service.d"
+                ;;
+                *) echo -e "  ${INFO} Leaving /etc/systemd/system/pihole-FTL.service.d in place.";;
+            esac
+        fi
         ${SUDO} rm -f /etc/init.d/pihole-FTL
         ${SUDO} rm -f /usr/bin/pihole-FTL
         echo -e "${OVER}  ${TICK} Removed pihole-FTL"

gravity.sh

@@ -52,6 +52,14 @@ else
   exit 1
 fi
 
+# Set up tmp dir variable in case it's not configured
+: "${GRAVITY_TMPDIR:=/tmp}"
+
+if [ ! -d "${GRAVITY_TMPDIR}" ] || [ ! -w "${GRAVITY_TMPDIR}" ]; then
+  echo -e "  ${COL_LIGHT_RED}Gravity temporary directory does not exist or is not a writeable directory, falling back to /tmp. ${COL_NC}"
+  GRAVITY_TMPDIR="/tmp"
+fi
+
 # Source pihole-FTL from install script
 pihole_FTL="${piholeDir}/pihole-FTL.conf"
 if [[ -f "${pihole_FTL}" ]]; then
@@ -137,6 +145,18 @@ update_gravity_timestamp() {
   return 0
 }
 
+# Update timestamp when the gravity table was last updated successfully
+set_abp_info() {
+  pihole-FTL sqlite3 "${gravityDBfile}" "INSERT OR REPLACE INTO info (property,value) VALUES ('abp_domains',${abp_domains});"
+  status="$?"
+
+  if [[ "${status}" -ne 0 ]]; then
+    echo -e "\\n  ${CROSS} Unable to update ABP domain status in database ${gravityDBfile}\\n  ${output}"
+    return 1
+  fi
+  return 0
+}
+
 # Import domains from file and store them in the specified database table
 database_table_from_file() {
   # Define locals
@@ -145,7 +165,7 @@ database_table_from_file() {
   src="${2}"
   backup_path="${piholeDir}/migration_backup"
   backup_file="${backup_path}/$(basename "${2}")"
-  tmpFile="$(mktemp -p "/tmp" --suffix=".gravity")"
+  tmpFile="$(mktemp -p "${GRAVITY_TMPDIR}" --suffix=".gravity")"
 
   local timestamp
   timestamp="$(date --utc +'%s')"
@@ -244,7 +264,7 @@ database_adlist_number() {
     return;
   fi
 
-  output=$( { printf ".timeout 30000\\nUPDATE adlist SET number = %i, invalid_domains = %i WHERE id = %i;\\n" "${num_source_lines}" "${num_invalid}" "${1}" | pihole-FTL sqlite3 "${gravityDBfile}"; } 2>&1 )
+  output=$( { printf ".timeout 30000\\nUPDATE adlist SET number = %i, invalid_domains = %i WHERE id = %i;\\n" "${num_domains}" "${num_non_domains}" "${1}" | pihole-FTL sqlite3 "${gravityDBfile}"; } 2>&1 )
   status="$?"
 
   if [[ "${status}" -ne 0 ]]; then
@@ -418,7 +438,7 @@ gravity_DownloadBlocklists() {
     echo -e "${OVER}  ${TICK} ${str}"
   fi
 
-  target="$(mktemp -p "/tmp" --suffix=".gravity")"
+  target="$(mktemp -p "${GRAVITY_TMPDIR}" --suffix=".gravity")"
 
   # Use compression to reduce the amount of data that is transferred
   # between the Pi-hole and the ad list provider. Use this feature
@@ -519,45 +539,88 @@ gravity_DownloadBlocklists() {
   gravity_Blackbody=true
 }
 
-# num_target_lines does increase for every correctly added domain in pareseList()
-num_target_lines=0
-num_source_lines=0
-num_invalid=0
+
+# global variable to indicate if we found ABP style domains during the gravity run
+# is saved in gravtiy's info table to signal FTL if such domains are available
+abp_domains=0
 parseList() {
-  local adlistID="${1}" src="${2}" target="${3}" incorrect_lines
-  # This sed does the following things:
-  # 1. Remove all domains containing invalid characters. Valid are: a-z, A-Z, 0-9, dot (.), minus (-), underscore (_)
-  # 2. Append ,adlistID to every line
+  local adlistID="${1}" src="${2}" target="${3}" temp_file temp_file_base non_domains sample_non_domains valid_domain_pattern abp_domain_pattern
+
+  # Create a temporary file for the sed magic instead of using "${target}" directly
+  # this allows to split the sed commands to improve readability
+  # we use a file handle here and remove the temporary file immediately so the content will be deleted in any case
+  # when the script stops
+  temp_file_base="$(mktemp -p "/tmp" --suffix=".gravity")"
+  exec 3>"$temp_file_base"
+  rm "${temp_file_base}"
+  temp_file="/proc/$$/fd/3"
+
+  # define valid domain patterns
+  # no need to include uppercase letters, as we convert to lowercase in gravity_ParseFileIntoDomains() already
+  # adapted from https://stackoverflow.com/a/30007882
+  # supported ABP style: ||subdomain.domain.tlp^
+
+  valid_domain_pattern="([a-z0-9]([a-z0-9_-]{0,61}[a-z0-9]){0,1}\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]"
+  abp_domain_pattern="\|\|${valid_domain_pattern}\^"
+
+
+  # 1. Add all valid domains
+    sed -r "/^${valid_domain_pattern}$/!d" "${src}" > "${temp_file}"
+
+  # 2. Add valid ABP style domains if there is at least one such domain
+  if  grep -E "^${abp_domain_pattern}$" -m 1 -q "${src}"; then
+    echo "  ${INFO} List contained AdBlock Plus style domains"
+    abp_domains=1
+    sed -r "/^${abp_domain_pattern}$/!d" "${src}" >> "${temp_file}"
+  fi
+
+
+  # Find lines containing no domains or with invalid characters (not matching regex above)
+  # This is simply everything that is not in $temp_file compared to $src
+  # Remove duplicates from the list
+  mapfile -t non_domains < <(grep -Fvf "${temp_file}" "${src}" | sort -u )
+
   # 3. Remove trailing period (see https://github.com/pi-hole/pi-hole/issues/4701)
-  # 4. Ensures there is a newline on the last line
-  sed -e "/[^a-zA-Z0-9.\_-]/d;s/\.$//;s/$/,${adlistID}/;/.$/a\\" "${src}" >> "${target}"
-  # Find (up to) five domains containing invalid characters (see above)
-  incorrect_lines="$(sed -e "/[^a-zA-Z0-9.\_-]/!d" "${src}" | head -n 5)"
+  # 4. Append ,adlistID to every line
+  # 5. Ensures there is a newline on the last line
+  # and write everything to the target file
+  sed "s/\.$//;s/$/,${adlistID}/;/.$/a\\" "${temp_file}" >> "${target}"
 
-  local num_target_lines_new num_correct_lines
-  # Get number of lines in source file
-  num_source_lines="$(grep -c "^" "${src}")"
-  # Get the new number of lines in destination file
-  num_target_lines_new="$(grep -c "^" "${target}")"
-  # Number of new correctly added lines
-  num_correct_lines="$(( num_target_lines_new-num_target_lines ))"
-  # Update number of lines in target file
-  num_target_lines="$num_target_lines_new"
-  num_invalid="$(( num_source_lines-num_correct_lines ))"
-  if [[ "${num_invalid}" -eq 0 ]]; then
-    echo "  ${INFO} Analyzed ${num_source_lines} domains"
+  # A list of items of common local hostnames not to report as unusable
+  # Some lists (i.e StevenBlack's) contain these as they are supposed to be used as HOST files
+  # but flagging them as unusable causes more confusion than it's worth - so we suppress them from the output
+  false_positives="localhost|localhost.localdomain|local|broadcasthost|localhost|ip6-localhost|ip6-loopback|lo0 localhost|ip6-localnet|ip6-mcastprefix|ip6-allnodes|ip6-allrouters|ip6-allhosts"
+
+  # if there are any non-domains, filter the array for false-positives
+  # Credit: https://stackoverflow.com/a/40264051
+  if [[ "${#non_domains[@]}" -gt 0 ]]; then
+    mapfile -d $'\0' -t non_domains < <(printf '%s\0' "${non_domains[@]}" | grep -Ezv "^${false_positives}")
+  fi
+
+  # Get a sample of non-domain entries, limited to 5 (the list should already have been de-duplicated)
+  IFS=" " read -r -a sample_non_domains <<< "$(tr ' ' '\n' <<< "${non_domains[@]}" | head -n 5 | tr '\n' ' ')"
+
+  # Get the number of domains added
+  num_domains="$(grep -c "^" "${temp_file}")"
+  # Get the number of non_domains (this is the number of entries left after stripping the source of comments/duplicates/false positives/domains)
+  num_non_domains="${#non_domains[@]}"
+
+  # If there are unusable lines, we display some information about them. This is not error or major cause for concern.
+  if [[ "${num_non_domains}" -ne 0 ]]; then
+    echo "  ${INFO} Imported ${num_domains} domains, ignoring ${num_non_domains} non-domain entries"
+    echo "      Sample of non-domain entries:"
+    for each in "${sample_non_domains[@]}"
+    do
+        echo "        - ${each}"
+    done
   else
-    echo "  ${INFO} Analyzed ${num_source_lines} domains, ${num_invalid} domains invalid!"
+    echo "  ${INFO} Imported ${num_domains} domains"
   fi
 
-  # Display sample of invalid lines if we found some
-  if [[ -n "${incorrect_lines}" ]]; then
-    echo "      Sample of invalid domains:"
-    while IFS= read -r line; do
-      echo "      - ${line}"
-    done <<< "${incorrect_lines}"
-  fi
+  # close file handle
+  exec 3<&-
 }
+
 compareLists() {
   local adlistID="${1}" target="${2}"
 
@@ -588,7 +651,7 @@ gravity_DownloadBlocklistFromUrl() {
   local heisenbergCompensator="" patternBuffer str httpCode success="" ip
 
   # Create temp file to store content on disk instead of RAM
-  patternBuffer=$(mktemp -p "/tmp" --suffix=".phgpb")
+  patternBuffer=$(mktemp -p "${GRAVITY_TMPDIR}" --suffix=".phgpb")
 
   # Determine if $saveLocation has read permission
   if [[ -r "${saveLocation}" && $url != "file"* ]]; then
@@ -710,8 +773,8 @@ gravity_DownloadBlocklistFromUrl() {
     else
       echo -e "  ${CROSS} List download failed: ${COL_LIGHT_RED}no cached list available${COL_NC}"
       # Manually reset these two numbers because we do not call parseList here
-      num_source_lines=0
-      num_invalid=0
+      num_domains=0
+      num_non_domains=0
       database_adlist_number "${adlistID}"
       database_adlist_status "${adlistID}" "4"
     fi
@@ -726,18 +789,30 @@ gravity_ParseFileIntoDomains() {
   # Most of the lists downloaded are already in hosts file format but the spacing/formatting is not contiguous
   # This helps with that and makes it easier to read
   # It also helps with debugging so each stage of the script can be researched more in depth
-  # 1) Remove carriage returns
-  # 2) Convert all characters to lowercase
-  # 3) Remove comments (text starting with "#", include possible spaces before the hash sign)
+  # 1) Convert all characters to lowercase
+  tr '[:upper:]' '[:lower:]' < "${src}" > "${destination}"
+
+  # 2) Remove carriage returns
+  sed -i 's/\r$//' "${destination}"
+
+  # 3a) Remove comments (text starting with "#", include possible spaces before the hash sign)
+  sed -i 's/\s*#.*//g' "${destination}"
+
+  # 3b) Remove lines starting with ! (ABP Comments)
+  sed -i 's/\s*!.*//g' "${destination}"
+
+  # 3c) Remove lines starting with [ (ABP Header)
+  sed -i 's/\s*\[.*//g' "${destination}"
+
   # 4) Remove lines containing "/"
-  # 5) Remove leading tabs, spaces, etc.
-  # 6) Delete lines not matching domain names
-  < "${src}" tr -d '\r' | \
-  tr '[:upper:]' '[:lower:]' | \
-  sed 's/\s*#.*//g' | \
-  sed -r '/(\/).*$/d' | \
-  sed -r 's/^.*\s+//g' | \
-  sed -r '/([^\.]+\.)+[^\.]{2,}/!d' >  "${destination}"
+  sed -i -r '/(\/).*$/d' "${destination}"
+
+  # 5) Remove leading tabs, spaces, etc. (Also removes leading IP addresses)
+  sed -i -r 's/^.*\s+//g' "${destination}"
+
+  # 6) Remove empty lines
+  sed -i '/^$/d' "${destination}"
+
   chmod 644 "${destination}"
 }
 
@@ -793,7 +868,7 @@ gravity_Cleanup() {
   # Delete tmp content generated by Gravity
   rm ${piholeDir}/pihole.*.txt 2> /dev/null
   rm ${piholeDir}/*.tmp 2> /dev/null
-  rm /tmp/*.phgpb 2> /dev/null
+  rm "${GRAVITY_TMPDIR}"/*.phgpb 2> /dev/null
 
   # Ensure this function only runs when gravity_SetDownloadOptions() has completed
   if [[ "${gravity_Blackbody:-}" == true ]]; then
@@ -970,6 +1045,9 @@ fi
 # Update gravity timestamp
 update_gravity_timestamp
 
+# Set abp_domain info field
+set_abp_info
+
 # Ensure proper permissions are set for the database
 chown pihole:pihole "${gravityDBfile}"
 chmod g+w "${piholeDir}" "${gravityDBfile}"

manpages/pihole.8

@@ -23,7 +23,7 @@ Pi-hole : A black-hole for internet advertisements
 .br
 pihole -r
 .br
-pihole -t
+\fBpihole\fR \fB-t\fR [arg]
 .br
 pihole -g\fR
 .br
@@ -113,11 +113,15 @@ Available commands and options:
     Reconfigure or Repair Pi-hole subsystems
 .br
 
-\fB-t, tail\fR
+\fB-t, tail\fR [arg]
 .br
     View the live output of the Pi-hole log
 .br
 
+      [arg]             Optional argument to filter the log for
+                        (regular expressions are supported)
+.br
+
 \fB-a, admin\fR [options]
 .br
 

pihole

@@ -23,6 +23,14 @@ source "${colfile}"
 utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
 source "${utilsfile}"
 
+versionsfile="/etc/pihole/versions"
+if [ -f "${versionsfile}" ]; then
+    # Only source versionsfile if the file exits
+    # fixes a warning during installation where versionsfile does not exist yet
+    # but gravity calls `pihole -status` and thereby sourcing the file
+    source "${versionsfile}"
+fi
+
 webpageFunc() {
   source "${PI_HOLE_SCRIPT_DIR}/webpage.sh"
   main "$@"
@@ -63,14 +71,22 @@ arpFunc() {
 }
 
 updatePiholeFunc() {
-  shift
-  "${PI_HOLE_SCRIPT_DIR}"/update.sh "$@"
-  exit 0
+  if [ -n "${DOCKER_VERSION}" ]; then
+    unsupportedFunc
+  else
+    shift
+    "${PI_HOLE_SCRIPT_DIR}"/update.sh "$@"
+    exit 0
+  fi
 }
 
 reconfigurePiholeFunc() {
-  /etc/.pihole/automated\ install/basic-install.sh --reconfigure
-  exit 0;
+  if [ -n "${DOCKER_VERSION}" ]; then
+    unsupportedFunc
+  else
+    /etc/.pihole/automated\ install/basic-install.sh --reconfigure
+    exit 0;
+  fi
 }
 
 updateGravityFunc() {
@@ -91,8 +107,12 @@ chronometerFunc() {
 
 
 uninstallFunc() {
-  "${PI_HOLE_SCRIPT_DIR}"/uninstall.sh
-  exit 0
+  if [ -n "${DOCKER_VERSION}" ]; then
+    unsupportedFunc
+  else
+    "${PI_HOLE_SCRIPT_DIR}"/uninstall.sh
+    exit 0
+  fi
 }
 
 versionFunc() {
@@ -429,6 +449,11 @@ updateCheckFunc() {
   exit 0
 }
 
+unsupportedFunc(){
+  echo "Function not supported in Docker images"
+  exit 0
+}
+
 helpFunc() {
   echo "Usage: pihole [options]
 Example: 'pihole -w -h'

test/_fedora_37.Dockerfile

@@ -1,4 +1,4 @@
-FROM fedora:35
+FROM fedora:37
 RUN dnf install -y git initscripts
 
 ENV GITDIR /etc/.pihole

test/requirements.txt

@@ -1,5 +1,6 @@
-docker-compose
-pytest
-pytest-xdist
-pytest-testinfra
-tox
+docker-compose == 1.29.2
+pytest == 7.2.2
+pytest-xdist == 3.2.1
+pytest-testinfra == 7.0.0
+tox == 4.4.7
+

test/test_any_automated_install.py

@@ -129,34 +129,16 @@ def test_installPiholeWeb_fresh_install_no_errors(host):
     installPiholeWeb
     """
     )
-    expected_stdout = info_box + " Installing 404 page..."
-    assert expected_stdout in installWeb.stdout
-    expected_stdout = tick_box + (
-        " Creating directory for 404 page, " "and copying files"
-    )
-    assert expected_stdout in installWeb.stdout
-    expected_stdout = info_box + " Backing up index.lighttpd.html"
-    assert expected_stdout in installWeb.stdout
-    expected_stdout = "No default index.lighttpd.html file found... " "not backing up"
-    assert expected_stdout in installWeb.stdout
     expected_stdout = tick_box + " Installing sudoer file"
     assert expected_stdout in installWeb.stdout
-    web_directory = host.run("ls -r /var/www/html/pihole").stdout
-    assert "index.php" in web_directory
 
 
 def get_directories_recursive(host, directory):
     if directory is None:
         return directory
-    ls = host.run("ls -d {}".format(directory + "/*/"))
-    directories = list(filter(bool, ls.stdout.splitlines()))
-    dirs = directories
-    for dirval in directories:
-        dir_rec = get_directories_recursive(host, dirval)
-        if isinstance(dir_rec, str):
-            dirs.extend([dir_rec])
-        else:
-            dirs.extend(dir_rec)
+    # returns all non-hidden subdirs of 'directory'
+    dirs_raw = host.run("find {} -type d -not -path '*/.*'".format(directory))
+    dirs = list(filter(bool, dirs_raw.stdout.splitlines()))
     return dirs
 
 
@@ -211,6 +193,8 @@ def test_installPihole_fresh_install_readableFiles(host):
     maninstalled = True
     if (info_box + " man not installed") in install.stdout:
         maninstalled = False
+    if (info_box + " man pages not installed") in install.stdout:
+        maninstalled = False
     piholeuser = "pihole"
     exit_status_success = 0
     test_cmd = 'su --shell /bin/bash --command "test -{0} {1}" -p {2}'
@@ -287,6 +271,24 @@ def test_installPihole_fresh_install_readableFiles(host):
     check_lighttpd = test_cmd.format("r", "/etc/lighttpd/lighttpd.conf", piholeuser)
     actual_rc = host.run(check_lighttpd).rc
     assert exit_status_success == actual_rc
+    # check readable /etc/lighttpd/conf*/pihole-admin.conf
+    check_lighttpd = test_cmd.format("r", "/etc/lighttpd/conf.d", piholeuser)
+    if host.run(check_lighttpd).rc == exit_status_success:
+        check_lighttpd = test_cmd.format(
+            "r", "/etc/lighttpd/conf.d/pihole-admin.conf", piholeuser
+        )
+        actual_rc = host.run(check_lighttpd).rc
+        assert exit_status_success == actual_rc
+    else:
+        check_lighttpd = test_cmd.format(
+            "r", "/etc/lighttpd/conf-available", piholeuser
+        )
+        if host.run(check_lighttpd).rc == exit_status_success:
+            check_lighttpd = test_cmd.format(
+                "r", "/etc/lighttpd/conf-available/15-pihole-admin.conf", piholeuser
+            )
+            actual_rc = host.run(check_lighttpd).rc
+            assert exit_status_success == actual_rc
     # check readable and executable manpages
     if maninstalled is True:
         check_man = test_cmd.format("x", "/usr/local/share/man", piholeuser)
@@ -396,7 +398,7 @@ def test_installPihole_fresh_install_readableBlockpage(host, test_webpage):
             usergroup="${{LIGHTTPD_USER}}:${{LIGHTTPD_GROUP}}",
             chmodarg="{{}}",
             config="/etc/lighttpd/lighttpd.conf",
-            run="/var/run/lighttpd",
+            run="/run/lighttpd",
             cache="/var/cache/lighttpd",
             uploads="/var/cache/lighttpd/uploads",
             compress="/var/cache/lighttpd/compress",
@@ -512,7 +514,7 @@ def test_installPihole_fresh_install_readableBlockpage(host, test_webpage):
     check_admin = test_cmd.format("x", webroot + "/admin", webuser)
     actual_rc = host.run(check_admin).rc
     assert exit_status_success == actual_rc
-    directories = get_directories_recursive(host, webroot + "/admin/*/")
+    directories = get_directories_recursive(host, webroot + "/admin/")
     for directory in directories:
         check_pihole = test_cmd.format("r", directory, webuser)
         actual_rc = host.run(check_pihole).rc
@@ -536,16 +538,6 @@ def test_installPihole_fresh_install_readableBlockpage(host, test_webpage):
         return bool(m)
 
     if installWebInterface is True:
-        check_pihole = test_cmd.format("r", webroot + "/pihole", webuser)
-        actual_rc = host.run(check_pihole).rc
-        assert exit_status_success == actual_rc
-        check_pihole = test_cmd.format("x", webroot + "/pihole", webuser)
-        actual_rc = host.run(check_pihole).rc
-        assert exit_status_success == actual_rc
-        # check most important files in $webroot for read permission
-        check_index = test_cmd.format("r", webroot + "/pihole/index.php", webuser)
-        actual_rc = host.run(check_index).rc
-        assert exit_status_success == actual_rc
         if test_webpage is True:
             # check webpage for unreadable files
             noPHPfopen = re.compile(

test/test_any_utils.py

@@ -40,6 +40,26 @@ def test_key_addition_works(host):
     assert expected_stdout == output.stdout
 
 
+def test_key_addition_substr(host):
+    """Confirms addKey adds substring keys (no value) to a file"""
+    host.run(
+        """
+    source /opt/pihole/utils.sh
+    addKey "./testoutput" "KEY_ONE"
+    addKey "./testoutput" "KEY_O"
+    addKey "./testoutput" "KEY_TWO"
+    addKey "./testoutput" "Y_TWO"
+    """
+    )
+    output = host.run(
+        """
+    cat ./testoutput
+    """
+    )
+    expected_stdout = "KEY_ONE\nKEY_O\nKEY_TWO\nY_TWO\n"
+    assert expected_stdout == output.stdout
+
+
 def test_key_removal_works(host):
     """Confirms removeKey removes a key or key/value pair"""
     host.run(

test/tox.centos_8.ini

@@ -1,8 +1,8 @@
 [tox]
 envlist = py3
 
-[testenv]
+[testenv:py3]
 allowlist_externals = docker
 deps = -rrequirements.txt
-commands = docker build -f _centos_8.Dockerfile -t pytest_pihole:test_container ../
-           pytest {posargs:-vv -n auto} ./test_any_automated_install.py ./test_any_utils.py ./test_centos_fedora_common_support.py ./test_centos_common_support.py
+commands =  docker buildx build --load --progress plain -f _centos_8.Dockerfile -t pytest_pihole:test_container ../
+            pytest {posargs:-vv -n auto} ./test_any_automated_install.py ./test_any_utils.py ./test_centos_fedora_common_support.py ./test_centos_common_support.py

test/tox.centos_9.ini

@@ -1,8 +1,8 @@
 [tox]
 envlist = py3
 
-[testenv]
+[testenv:py3]
 allowlist_externals = docker
 deps = -rrequirements.txt
-commands = docker build -f _centos_9.Dockerfile -t pytest_pihole:test_container ../
+commands = docker buildx build --load --progress plain -f _centos_9.Dockerfile -t pytest_pihole:test_container ../
            pytest {posargs:-vv -n auto} ./test_any_automated_install.py ./test_any_utils.py ./test_centos_fedora_common_support.py ./test_centos_common_support.py

test/tox.debian_10.ini

@@ -1,8 +1,8 @@
 [tox]
 envlist = py3
 
-[testenv]
+[testenv:py3]
 allowlist_externals = docker
 deps = -rrequirements.txt
-commands = docker build -f _debian_10.Dockerfile -t pytest_pihole:test_container ../
+commands = docker buildx build --load --progress plain -f _debian_10.Dockerfile -t pytest_pihole:test_container ../
            pytest {posargs:-vv -n auto} ./test_any_automated_install.py ./test_any_utils.py

test/tox.debian_11.ini

@@ -1,8 +1,8 @@
 [tox]
 envlist = py3
 
-[testenv]
+[testenv:py3]
 allowlist_externals = docker
 deps = -rrequirements.txt
-commands = docker build -f _debian_11.Dockerfile -t pytest_pihole:test_container ../
+commands = docker buildx build --load --progress plain -f _debian_11.Dockerfile -t pytest_pihole:test_container ../
            pytest {posargs:-vv -n auto} ./test_any_automated_install.py ./test_any_utils.py

test/tox.fedora_36.ini

@@ -1,8 +1,8 @@
 [tox]
 envlist = py3
 
-[testenv]
+[testenv:py3]
 allowlist_externals = docker
 deps = -rrequirements.txt
-commands = docker build -f _fedora_36.Dockerfile -t pytest_pihole:test_container ../
+commands = docker buildx build --load --progress plain -f _fedora_36.Dockerfile -t pytest_pihole:test_container ../
            pytest {posargs:-vv -n auto} ./test_any_automated_install.py ./test_any_utils.py ./test_centos_fedora_common_support.py ./test_fedora_support.py

test/tox.fedora_37.ini

@@ -4,5 +4,5 @@ envlist = py3
 [testenv]
 allowlist_externals = docker
 deps = -rrequirements.txt
-commands = docker build -f _fedora_35.Dockerfile -t pytest_pihole:test_container ../
+commands = docker buildx build --load --progress plain -f _fedora_37.Dockerfile -t pytest_pihole:test_container ../
            pytest {posargs:-vv -n auto} ./test_any_automated_install.py ./test_any_utils.py ./test_centos_fedora_common_support.py ./test_fedora_support.py

test/tox.ubuntu_20.ini

@@ -1,8 +1,8 @@
 [tox]
 envlist = py3
 
-[testenv]
+[testenv:py3]
 allowlist_externals = docker
 deps = -rrequirements.txt
-commands = docker build -f _ubuntu_20.Dockerfile -t pytest_pihole:test_container ../
+commands = docker buildx build --load --progress plain -f _ubuntu_20.Dockerfile -t pytest_pihole:test_container ../
            pytest {posargs:-vv -n auto} ./test_any_automated_install.py ./test_any_utils.py

test/tox.ubuntu_22.ini

@@ -1,8 +1,8 @@
 [tox]
 envlist = py3
 
-[testenv]
+[testenv:py3]
 allowlist_externals = docker
 deps = -rrequirements.txt
-commands = docker build -f _ubuntu_22.Dockerfile -t pytest_pihole:test_container ../
+commands = docker buildx build --load --progress plain -f _ubuntu_22.Dockerfile -t pytest_pihole:test_container ../
            pytest {posargs:-vv -n auto} ./test_any_automated_install.py ./test_any_utils.py