From f538c080653112fd7071ac5e16683f7c91480bd1 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 6 Apr 2021 11:22:08 +0200
Subject: [PATCH] unbound / blacklists: cleanse domain input. change regex in
 https://github.com/opnsense/core/issues/4898 per suggestion @kulikov-a

---
 src/opnsense/scripts/unbound/download_blacklists.py             | 2 +-
 .../service/templates/OPNsense/Unbound/core/blacklists.conf     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/opnsense/scripts/unbound/download_blacklists.py b/src/opnsense/scripts/unbound/download_blacklists.py
index 929c0da1f..9b2549449 100755
--- a/src/opnsense/scripts/unbound/download_blacklists.py
+++ b/src/opnsense/scripts/unbound/download_blacklists.py
@@ -82,7 +82,7 @@ if __name__ == '__main__':
         sys.exit(99)
 
     domain_pattern = re.compile(
-        r'(([\da-zA-Z])([_\w-]{,62})\.){,127}(([\da-zA-Z])[_\w-]{,61})'
+        r'(([\da-zA-Z_])([_\w-]{,62})\.){,127}(([\da-zA-Z])[_\w-]{,61})'
         r'?([\da-zA-Z]\.((xn\-\-[a-zA-Z\d]+)|([a-zA-Z\d]{2,})))'
     )
 
diff --git a/src/opnsense/service/templates/OPNsense/Unbound/core/blacklists.conf b/src/opnsense/service/templates/OPNsense/Unbound/core/blacklists.conf
index 19a258e04..b065d939d 100644
--- a/src/opnsense/service/templates/OPNsense/Unbound/core/blacklists.conf
+++ b/src/opnsense/service/templates/OPNsense/Unbound/core/blacklists.conf
@@ -55,7 +55,7 @@ custom_{{loop.index}}={{uri}}
 # exclude localhost entries
 default_pattern_1=.*localhost$
 # exclude non domain entries
-default_pattern_2=^(?![a-zA-Z\d]).*
+default_pattern_2=^(?![a-zA-Z_\d]).*
 {%    if not helpers.empty('OPNsense.unboundplus.dnsbl.whitelists')%}
 # user defined
 {%      for pattern in OPNsense.unboundplus.dnsbl.whitelists.split(',') %}