From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] ovpnmain.cgi: Fix for bug#11048 - insecure download icon for connections with a password Date: Fri, 10 Feb 2023 19:13:43 +0100 Message-ID: <20230210181343.17763-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5934993411133139411==" List-Id: --===============5934993411133139411== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn= /ovpnconfig is set to no-pass. The code block on ovpnmain.cgi that deals with this che= cks if the connection is a host and if the first password entry is a null. Then it ad= ds no-pass to ovpnconfig. - The same block of code is also used for when he connection is edited. Howev= er at this stage the password entry is back to null because the password value is onl= y kept until the connection has been saved. Therefore doing an edit results in the pass= word value being taken as null even for connections with a password. - This fix checks the password value only if entry 41 in the ovpnconfig file = is a null. If it is a null then it enters no-pass if the password is a null and it en= ters pass if the password contains characters. This way the entry 41 always contains= either pass or no-pass, except when the connection is being first added and saved. - When adding this fix into a Core Update the update.sh script will need to c= heck if ovpnconfig exists and then add pass to all lines that have a null at entry= 41. This will only fix those connections that have not already been edited. Any connecti= ons already edited will have no-pass at entry 41 of ovpnconfig and will therefore show= the insecure package download icon. - The only way I can think of dealing with entries that already have no-pass= added is to go through all .p12 files in the certs directory and if there is a connect= ion entry with that name then to change the no-pass to a pass. However that will onl= y work if the connection name has been set the same as the certificate name, which is no= t a requirement. - So I think we can only fix those coneections that have never been edited. A= ny connections with passwords that have already been edited and containg no-pass in ovpnc= onfig and showing the insecure package download icon will have to be manually dealt = with by users. - I think that should still be okay because they currently have two icons whe= n they shouldn't and that will continue to be the case if they don't carry out a = manual edit of ovpnconfig. - Maybe someone can think of an alternative way of identifying all connection= s using a password so that they can have entry 41 changed to pass. I haven't been ab= le to do that so far - Looking forward to feedback Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/ovpnmain.cgi | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 42a7354fc..2586a1796 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -4326,9 +4326,13 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[39] =3D $cgiparams{'DAUTH'}; $confighash{$key}[40] =3D $cgiparams{'DCIPHER'}; =20 - if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { - $confighash{$key}[41] =3D "no-pass"; - } + if ($confighash{$key}[41] eq "") { + if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { + $confighash{$key}[41] =3D "no-pass"; + } elsif (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} ne = "")) { + $confighash{$key}[41] =3D "pass"; + } + } =20 $confighash{$key}[42] =3D 'HOTP/T30/6'; $confighash{$key}[43] =3D $cgiparams{'OTP_STATE'}; --=20 2.39.1 --===============5934993411133139411==--