[PATCH] ovpnmain.cgi: Fix for bug#11048 - insecure download icon for connections with a password

[Adolf Belka <adolf.belka@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3484 bytes --]

- The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig
   is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the
   connection is a host and if the first password entry is a null. Then it adds no-pass
   to ovpnconfig.
- The same block of code is also used for when he connection is edited. However at this
   stage the password entry is back to null because the password value is only kept until
   the connection has been saved. Therefore doing an edit results in the password value
   being taken as null even for connections with a password.
- This fix checks the password value only if entry 41 in the ovpnconfig file is a null.
   If it is a null then it enters no-pass if the password is a null and it enters pass
   if the password contains characters. This way the entry 41 always contains either pass
   or no-pass, except when the connection is being first added and saved.
- When adding this fix into a Core Update the update.sh script will need to check if
   ovpnconfig exists and then add pass to all lines that have a null at entry 41. This will
   only fix those connections that have not already been edited. Any connections already
   edited will have no-pass at entry 41 of ovpnconfig and will therefore show the insecure
   package download icon.
-  The only way I can think of dealing with entries that already have no-pass added is to
   go through all .p12 files in the certs directory and if there is a connection entry
   with that name then to change the no-pass to a pass. However that will only work if the
   connection name has been set the same as the certificate name, which is not a
   requirement.
- So I think we can only fix those coneections that have never been edited. Any connections
   with passwords that have already been edited and containg no-pass in ovpnconfig and
   showing the insecure package download icon will have to be manually dealt with by users.
- I think that should still be okay because they currently have two icons when they
   shouldn't and that will continue to be the case if they don't carry out a manual edit
   of ovpnconfig.
- Maybe someone can think of an alternative way of identifying all connections using a
   password so that they can have entry 41 changed to pass. I haven't been able to do that
   so far
- Looking forward to feedback

Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 42a7354fc..2586a1796 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -4326,9 +4326,13 @@ if ($cgiparams{'TYPE'} eq 'net') {
 	$confighash{$key}[39]		= $cgiparams{'DAUTH'};
 	$confighash{$key}[40]		= $cgiparams{'DCIPHER'};
 
-	if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
-		$confighash{$key}[41] = "no-pass";
-	}
+  if ($confighash{$key}[41] eq "") {
+    if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
+      $confighash{$key}[41] = "no-pass";
+    } elsif (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} ne "")) {
+      $confighash{$key}[41] = "pass";
+    }
+  }
 
    $confighash{$key}[42] = 'HOTP/T30/6';
 	$confighash{$key}[43] = $cgiparams{'OTP_STATE'};
-- 
2.39.1