Project

General

Profile

Actions

Bug #11867

closed

Unquoted variable in ``dot.tcshrc`` can cause proxy password to be printed

Added by John Runyon 5 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Category:
Operating System
Target version:
Start date:
04/28/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
All
Affected Architecture:

Description

https://github.com/pfsense/pfsense/blob/a7086b04cae21ca742fdeefd1019ee1401b6dded/src/etc/skel/dot.tcshrc#L71 causes username and/or password for the proxy to be printed if it contains a ?

For example, set your proxy password to "bar?" and then sign in via SSH:

pfSense - Netgate Device ID: 6f04db72ec87aa2218b2

*** Welcome to pfSense 2.4.4-RELEASE-p3 (amd64) on pfsense ***

...

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 8

bar?: No match.
[2.4.4-RELEASE][admin@...]/root: 

Quoting the variables like below makes the "bar?: No match" go away but I don't know enough about [t]csh to say if it's the correct fix:

if ( "${http_proxy_auth_user}" != "" && "${http_proxy_auth_pass}" != "" ) then

Actions #1

Updated by Viktor Gurov 5 months ago

  • Affected Version set to All

this bug causes not only printing the password in the shell, but also not populating the HTTP_PROXY_AUTH env variable

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/228

Actions #2

Updated by Jim Pingle 5 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Renato Botelho
  • Target version set to 2.6.0
Actions #3

Updated by Viktor Gurov 4 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Jim Pingle 4 months ago

  • Plus Target Version set to 21.05
Actions #5

Updated by Jim Pingle 4 months ago

Already in 21.05 branch.

Actions #6

Updated by Jim Pingle 4 months ago

  • Subject changed from Unquoted variable in dot.tcshrc can cause password to be printed to Unquoted variable in ``dot.tcshrc`` can cause password to be printed
Actions #7

Updated by Jim Pingle 4 months ago

  • Subject changed from Unquoted variable in ``dot.tcshrc`` can cause password to be printed to Unquoted variable in ``dot.tcshrc`` can cause proxy password to be printed

Updating subject for release notes.

Actions #8

Updated by Jim Pingle 4 months ago

  • Target version changed from 2.6.0 to 2.5.2
Actions #9

Updated by Jim Pingle 4 months ago

  • Status changed from Feedback to Closed

Works correctly now.

Actions

Also available in: Atom PDF