Todo #16128: Sanitize pppoe configuration parameters - pfSense - pfSense bugtracker

Custom queries

2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - Resolved/Closed
2.8.1 - All Open Bugs
2.8.1 - All Open Features
2.8.1 - All Open Issues
2.8.1 - All Open Regressions
2.8.1 - Feedback
2.8.1 - Needs Attention
2.8.1 - New/Confirmed
2.8.1 - Pull Requests
2.8.1 - Regressions affecting 2.8.0
2.8.1 - Resolved/Closed
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Target - All Closed Issues
25.07 Plus - All Closed Issues
25.07 Target - All Closed Issues
25.11 Plus - All Closed Issues
25.11 Plus - All Open Issues
25.11 Plus - Feedback Issues
25.11 Plus - Needs Attention/Work
25.11 Plus - New/Confirmed/In Progress Issues
25.11 Plus - Pull Request Review
25.11 Plus - Waiting on Merge
25.11 Target - All Closed Issues
25.11 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - CE Target Version (DO NOT EDIT)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Todo #16128

open

Sanitize pppoe configuration parameters

Added by Kristof Provost 5 months ago. Updated 15 days ago.

Status:

Feedback

Priority:

Normal

Assignee:

Marcos M

Category:

PPP Interfaces

Target version:

2.9.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

25.11

Release Notes:

Default

Description

A user reports (https://forum.netgate.com/topic/197026/25-03-b-20250306-0140-if_pppoe-kernel-module-chap-failure/10 ) that a leading space in a password used to be ignored as it was written to the mpd5 configuration file without quotes around it.
That's not the case with if_pppoe, so it's considered part of the password.

The if_pppoe behaviour is probably what we want, but we ought to at least document this for TAC.

We should also check if we're correctly handling passwords with symbols such as ", ', \, ... in them here: https://gitlab.netgate.com/pfSense/pfSense/-/blob/master/src/etc/inc/interfaces.inc?ref_type=heads#L2311

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Bill Meeks 5 months ago

Just a thought -- but it would potentially be helpful if password validation logic would check for leading or trailing spaces in entered passwords and warn the user when saving by displaying the standard pfSense warning message at the top of the page. Make it a warning and not a fail, so the user can proceed with the space(s) if desired. Unintended spaces in passwords have been the source of several mysterious problems <grin>.

Actions

Copy link

Updated by Kris Phillips 4 months ago

Status changed from New to Confirmed

Marking as Confirmed for now, since this is a known difference in behavior.

Actions

Copy link

Updated by Scott Ashcroft 3 months ago

Passwords which begin with exclamation mark (!) are broken see:

https://forum.netgate.com/post/1216202

The proper fix would be to base64 encode the password before passing it to the command line and so avoid all the escaping issues.
The command would then do the decode before passing it to the kernel module.
In theory PPP passwords could contain all sorts of mad characters as all bytes values including NUL are valid. Passing them directly as a command line argument will always be dangerous.
Having the connection not work is probably the least worst thing that could happen.

Actions

Copy link

Updated by Steve Wheeler about 1 month ago

Target version set to 2.9.0
Plus Target Version set to 25.11
Affected Version set to 2.8.0
Affected Architecture All added

Additional examples have been found. Still an issue in 25.07.

Actions

Copy link

Updated by Marcos M 17 days ago

Status changed from Confirmed to In Progress
Assignee set to Marcos M

Actions

Copy link

Updated by Marcos M 15 days ago

Tracker changed from Bug to Todo
Subject changed from if_pppoe: PHP password handling to Sanitize pppoe configuration parameters
Affected Version deleted (~~2.8.0~~)
Affected Architecture deleted (~~All~~)

Actions

Copy link

Updated by Marcos M 15 days ago

Status changed from In Progress to Feedback
% Done changed from 0 to 100

Applied in changeset 9da0ba1c6561793e180bf2708a34df27f14e9ee5.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Todo #16128

Sanitize pppoe configuration parameters

Updated by Bill Meeks 5 months ago

Updated by Kris Phillips 4 months ago

Updated by Scott Ashcroft 3 months ago

Updated by Steve Wheeler about 1 month ago

Updated by Marcos M 17 days ago

Updated by Marcos M 15 days ago

Updated by Marcos M 15 days ago