[PATCH] wlanap.cgi: Save IEEE80211W 'optional' value correctly

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

* [PATCH] wlanap.cgi: Save IEEE80211W 'optional' value correctly
@ 2025-10-17  9:42 ummeegge
  2025-10-22 10:17 ` Michael Tremer
  2025-10-22 15:34 ` [PATCH v2] " ummeegge
  0 siblings, 2 replies; 5+ messages in thread
From: ummeegge @ 2025-10-17  9:42 UTC (permalink / raw)
  To: development; +Cc: ummeegge

Original ternary ignored 'optional' and forced 'off'.
Use defined-or (//) to preserve all select values.

Signed-off-by: ummeegge <ummeegge@ipfire.org>
---
 html/cgi-bin/wlanap.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi
index 600ddc489..afdba59b3 100644
--- a/html/cgi-bin/wlanap.cgi
+++ b/html/cgi-bin/wlanap.cgi
@@ -118,7 +118,7 @@ if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}") {
 	$wlanapsettings{'NOSCAN'} = ($cgiparams{'NOSCAN'} eq 'on') ? 'on' : 'off';
 	$wlanapsettings{'ENC'} = $cgiparams{'ENC'};
 	$wlanapsettings{'PWD'} = $cgiparams{'PWD'};
-	$wlanapsettings{'IEEE80211W'} = ($cgiparams{'IEEE80211W'} eq 'on') ? 'on' : 'off';
+	$wlanapsettings{'IEEE80211W'} = $cgiparams{'IEEE80211W'} // 'off';
 	$wlanapsettings{'TX_POWER'} = $cgiparams{'TX_POWER'};
 
 	if ($errormessage eq '') {
-- 
2.47.2



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] wlanap.cgi: Save IEEE80211W 'optional' value correctly
  2025-10-17  9:42 [PATCH] wlanap.cgi: Save IEEE80211W 'optional' value correctly ummeegge
@ 2025-10-22 10:17 ` Michael Tremer
  2025-10-22 18:02   ` ummeegge
  2025-10-22 15:34 ` [PATCH v2] " ummeegge
  1 sibling, 1 reply; 5+ messages in thread
From: Michael Tremer @ 2025-10-22 10:17 UTC (permalink / raw)
  To: ummeegge; +Cc: development

Hello Erik,

Thank you for your patch.

I cannot quite merge this because the patch changes behaviour so that the browser could write arbitrary values into the configuration file without further sanitisation. To fix this, we must check if $cgiparams{'IEEE80211W’} contains one of three possible values.

Would you like to update this patch accordingly?

-Michael

> On 17 Oct 2025, at 10:42, ummeegge <ummeegge@ipfire.org> wrote:
> 
> Original ternary ignored 'optional' and forced 'off'.
> Use defined-or (//) to preserve all select values.
> 
> Signed-off-by: ummeegge <ummeegge@ipfire.org>
> ---
> html/cgi-bin/wlanap.cgi | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi
> index 600ddc489..afdba59b3 100644
> --- a/html/cgi-bin/wlanap.cgi
> +++ b/html/cgi-bin/wlanap.cgi
> @@ -118,7 +118,7 @@ if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}") {
> $wlanapsettings{'NOSCAN'} = ($cgiparams{'NOSCAN'} eq 'on') ? 'on' : 'off';
> $wlanapsettings{'ENC'} = $cgiparams{'ENC'};
> $wlanapsettings{'PWD'} = $cgiparams{'PWD'};
> - $wlanapsettings{'IEEE80211W'} = ($cgiparams{'IEEE80211W'} eq 'on') ? 'on' : 'off';
> + $wlanapsettings{'IEEE80211W'} = $cgiparams{'IEEE80211W'} // 'off';
> $wlanapsettings{'TX_POWER'} = $cgiparams{'TX_POWER'};
> 
> if ($errormessage eq '') {
> -- 
> 2.47.2
> 
> 



^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v2] wlanap.cgi: Save IEEE80211W 'optional' value correctly
  2025-10-17  9:42 [PATCH] wlanap.cgi: Save IEEE80211W 'optional' value correctly ummeegge
  2025-10-22 10:17 ` Michael Tremer
@ 2025-10-22 15:34 ` ummeegge
  1 sibling, 0 replies; 5+ messages in thread
From: ummeegge @ 2025-10-22 15:34 UTC (permalink / raw)
  To: development; +Cc: ummeegge

The v1 patch used defined-or (//), which allowed arbitrary values to be written.
This v2 patch validates that IEEE80211W is one of 'off',
'optional', or 'on', defaulting to 'off' if invalid.

Signed-off-by: ummeegge <ummeegge@ipfire.org>
---
 html/cgi-bin/wlanap.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi
index 600ddc489..0d1c5a90b 100644
--- a/html/cgi-bin/wlanap.cgi
+++ b/html/cgi-bin/wlanap.cgi
@@ -118,7 +118,7 @@ if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}") {
 	$wlanapsettings{'NOSCAN'} = ($cgiparams{'NOSCAN'} eq 'on') ? 'on' : 'off';
 	$wlanapsettings{'ENC'} = $cgiparams{'ENC'};
 	$wlanapsettings{'PWD'} = $cgiparams{'PWD'};
-	$wlanapsettings{'IEEE80211W'} = ($cgiparams{'IEEE80211W'} eq 'on') ? 'on' : 'off';
+	$wlanapsettings{'IEEE80211W'} = ($cgiparams{'IEEE80211W'} eq 'on' || $cgiparams{'IEEE80211W'} eq 'optional') ? $cgiparams{'IEEE80211W'} : 'off';
 	$wlanapsettings{'TX_POWER'} = $cgiparams{'TX_POWER'};
 
 	if ($errormessage eq '') {
-- 
2.47.2



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] wlanap.cgi: Save IEEE80211W 'optional' value correctly
  2025-10-22 10:17 ` Michael Tremer
@ 2025-10-22 18:02   ` ummeegge
  2025-10-23 16:49     ` Michael Tremer
  0 siblings, 1 reply; 5+ messages in thread
From: ummeegge @ 2025-10-22 18:02 UTC (permalink / raw)
  To: Michael Tremer; +Cc: development

Hi Michael,
hope version 2 fits the needs.

Best,

Erik

Am Mittwoch, dem 22.10.2025 um 11:17 +0100 schrieb Michael Tremer:
> Hello Erik,
> 
> Thank you for your patch.
> 
> I cannot quite merge this because the patch changes behaviour so that
> the browser could write arbitrary values into the configuration file
> without further sanitisation. To fix this, we must check if
> $cgiparams{'IEEE80211W’} contains one of three possible values.
> 
> Would you like to update this patch accordingly?
> 
> -Michael
> 
> > On 17 Oct 2025, at 10:42, ummeegge <ummeegge@ipfire.org> wrote:
> > 
> > Original ternary ignored 'optional' and forced 'off'.
> > Use defined-or (//) to preserve all select values.
> > 
> > Signed-off-by: ummeegge <ummeegge@ipfire.org>
> > ---
> > html/cgi-bin/wlanap.cgi | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi
> > index 600ddc489..afdba59b3 100644
> > --- a/html/cgi-bin/wlanap.cgi
> > +++ b/html/cgi-bin/wlanap.cgi
> > @@ -118,7 +118,7 @@ if ($cgiparams{'ACTION'} eq
> > "$Lang::tr{'save'}") {
> > $wlanapsettings{'NOSCAN'} = ($cgiparams{'NOSCAN'} eq 'on') ? 'on' :
> > 'off';
> > $wlanapsettings{'ENC'} = $cgiparams{'ENC'};
> > $wlanapsettings{'PWD'} = $cgiparams{'PWD'};
> > - $wlanapsettings{'IEEE80211W'} = ($cgiparams{'IEEE80211W'} eq
> > 'on') ? 'on' : 'off';
> > + $wlanapsettings{'IEEE80211W'} = $cgiparams{'IEEE80211W'} //
> > 'off';
> > $wlanapsettings{'TX_POWER'} = $cgiparams{'TX_POWER'};
> > 
> > if ($errormessage eq '') {
> > -- 
> > 2.47.2
> > 
> > 


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] wlanap.cgi: Save IEEE80211W 'optional' value correctly
  2025-10-22 18:02   ` ummeegge
@ 2025-10-23 16:49     ` Michael Tremer
  0 siblings, 0 replies; 5+ messages in thread
From: Michael Tremer @ 2025-10-23 16:49 UTC (permalink / raw)
  To: ummeegge; +Cc: development

Hello Erik,

Yes, thank you. That looks good to me.

-Michael

> On 22 Oct 2025, at 19:02, ummeegge <ummeegge@ipfire.org> wrote:
> 
> Hi Michael,
> hope version 2 fits the needs.
> 
> Best,
> 
> Erik
> 
> Am Mittwoch, dem 22.10.2025 um 11:17 +0100 schrieb Michael Tremer:
>> Hello Erik,
>> 
>> Thank you for your patch.
>> 
>> I cannot quite merge this because the patch changes behaviour so that
>> the browser could write arbitrary values into the configuration file
>> without further sanitisation. To fix this, we must check if
>> $cgiparams{'IEEE80211W’} contains one of three possible values.
>> 
>> Would you like to update this patch accordingly?
>> 
>> -Michael
>> 
>>> On 17 Oct 2025, at 10:42, ummeegge <ummeegge@ipfire.org> wrote:
>>> 
>>> Original ternary ignored 'optional' and forced 'off'.
>>> Use defined-or (//) to preserve all select values.
>>> 
>>> Signed-off-by: ummeegge <ummeegge@ipfire.org>
>>> ---
>>> html/cgi-bin/wlanap.cgi | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>> 
>>> diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi
>>> index 600ddc489..afdba59b3 100644
>>> --- a/html/cgi-bin/wlanap.cgi
>>> +++ b/html/cgi-bin/wlanap.cgi
>>> @@ -118,7 +118,7 @@ if ($cgiparams{'ACTION'} eq
>>> "$Lang::tr{'save'}") {
>>> $wlanapsettings{'NOSCAN'} = ($cgiparams{'NOSCAN'} eq 'on') ? 'on' :
>>> 'off';
>>> $wlanapsettings{'ENC'} = $cgiparams{'ENC'};
>>> $wlanapsettings{'PWD'} = $cgiparams{'PWD'};
>>> - $wlanapsettings{'IEEE80211W'} = ($cgiparams{'IEEE80211W'} eq
>>> 'on') ? 'on' : 'off';
>>> + $wlanapsettings{'IEEE80211W'} = $cgiparams{'IEEE80211W'} //
>>> 'off';
>>> $wlanapsettings{'TX_POWER'} = $cgiparams{'TX_POWER'};
>>> 
>>> if ($errormessage eq '') {
>>> -- 
>>> 2.47.2
>>> 
>>> 
> 



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2025-10-23 16:50 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-10-17  9:42 [PATCH] wlanap.cgi: Save IEEE80211W 'optional' value correctly ummeegge
2025-10-22 10:17 ` Michael Tremer
2025-10-22 18:02   ` ummeegge
2025-10-23 16:49     ` Michael Tremer
2025-10-22 15:34 ` [PATCH v2] " ummeegge

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox