Project

General

Profile

Bug #11867

Unquoted variable in ``dot.tcshrc`` can cause proxy password to be printed

Added by John Runyon about 2 months ago. Updated 19 days ago.

Status:
Closed
Priority:
Normal
Category:
Operating System
Target version:
Start date:
04/28/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
All
Affected Architecture:

Description

https://github.com/pfsense/pfsense/blob/a7086b04cae21ca742fdeefd1019ee1401b6dded/src/etc/skel/dot.tcshrc#L71 causes username and/or password for the proxy to be printed if it contains a ?

For example, set your proxy password to "bar?" and then sign in via SSH:

pfSense - Netgate Device ID: 6f04db72ec87aa2218b2

*** Welcome to pfSense 2.4.4-RELEASE-p3 (amd64) on pfsense ***

...

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 8

bar?: No match.
[2.4.4-RELEASE][admin@...]/root: 

Quoting the variables like below makes the "bar?: No match" go away but I don't know enough about [t]csh to say if it's the correct fix:

if ( "${http_proxy_auth_user}" != "" && "${http_proxy_auth_pass}" != "" ) then

Associated revisions

Revision 5d26423e (diff)
Added by Viktor Gurov about 1 month ago

Quote proxy user/pass variables in dot.tcshrc. Fixes #11867

History

#1 Updated by Viktor Gurov about 2 months ago

  • Affected Version set to All

this bug causes not only printing the password in the shell, but also not populating the HTTP_PROXY_AUTH env variable

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/228

#2 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Renato Botelho
  • Target version set to 2.6.0

#3 Updated by Viktor Gurov about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100

#4 Updated by Jim Pingle about 1 month ago

  • Plus Target Version set to 21.05

#5 Updated by Jim Pingle about 1 month ago

Already in 21.05 branch.

#6 Updated by Jim Pingle about 1 month ago

  • Subject changed from Unquoted variable in dot.tcshrc can cause password to be printed to Unquoted variable in ``dot.tcshrc`` can cause password to be printed

#7 Updated by Jim Pingle about 1 month ago

  • Subject changed from Unquoted variable in ``dot.tcshrc`` can cause password to be printed to Unquoted variable in ``dot.tcshrc`` can cause proxy password to be printed

Updating subject for release notes.

#8 Updated by Jim Pingle 20 days ago

  • Target version changed from 2.6.0 to 2.5.2

#9 Updated by Jim Pingle 19 days ago

  • Status changed from Feedback to Closed

Works correctly now.

Also available in: Atom PDF