Bug #4497

Using a specific password within FreeRADIUS user management causes pfSense to restore a backup!

Added by Matthias Güntert over 5 years ago. Updated 5 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


I have noticed some really strange behaviour when using a specific password for a freeradius user account. Somehow I can't use the password 'W!f!4c3ss.' (without the quotes).

Everytime I enter the mentioned password and click on save the WebGUI shows "01 unread notice" - "Acknowledge All Notices" - "[pfSense is restoring the configuration /cf/conf/backup/config-1425739xxxx.xml]". The changes are then not getting applied (checked within /usr/pbi/freeradius-amd64/local/etc/raddb/users). Every other password works. I guess there is something wrong with the way the input gets parsed.

This seems independent of the browser in use. Tested with Chrome (40.0.2214.115 m) and Internet Explorer 11 (11.0.9600.17631).

Associated revisions

Revision 5ee65c00 (diff)
Added by Jim Pingle 7 months ago

CDATA encode FreeRADIUS user names/passwords. Issue #4497

Revision 29f87d21 (diff)
Added by Jim Pingle 6 months ago

CDATA encode FreeRADIUS user names/passwords. Issue #4497

(cherry picked from commit 5ee65c008f628340fede29d9fbf42a4a68dd63e1)


#1 Updated by Paul K over 5 years ago

I tried to reproduce this using the password you provided, but it worked just fine. Then I noticed that your last name contains umlaut so I tried to create user with username Güntert and sure enough it failed.

#2 Updated by Matthias Güntert over 5 years ago

The user for which I have set this password does not contain any umlauts!

#3 Updated by Chris Buechler almost 5 years ago

  • Affected Version changed from 2.2 to All

#4 Updated by Viktor Gurov 8 months ago

This fix allow to use only ^[a-zA-Z0-9_.-]*$ for usernames:

#5 Updated by Jim Pingle 8 months ago

  • Status changed from New to Pull Request Review

#6 Updated by Renato Botelho 8 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

#7 Updated by Jim Pingle 6 months ago

  • Target version set to 2.4.5-p1

#8 Updated by Jim Pingle 5 months ago

  • Status changed from Feedback to Resolved

Field is CDATA escaped in the config. Password W!f!4c3ss. was saved without error and present in the config after.

Also available in: Atom PDF