Improper handling of "too short" voucher codes (1-2 chars)
When a user supplies an invalid voucher that is too short (1-2 chars) the system does not properly return an error. Access is not granted, but it can lead to misleading test results and logging/display of the invalid code in online status.
- The "Test Voucher" page returns a green/success message for any 1-2 char voucher that uses chars from the allowed list set on the portal page, but it claims access was granted for 0 minutes.
- Attempting to login with a short voucher does not generate an error and it does not grant access
- Placing a valid voucher in the voucher field after an invalid short voucher will report success (the second voucher was valid) but the portal status and auth log show the invalid voucher as the one granting access along with the minutes from the valid voucher. Example input: "is yWs5HYQqxKS"
Not a security issue as no access was granted. The portal auth code would deny access since "0 minutes" is not valid.
#1 Updated by Luiz Souza about 4 years ago
- % Done changed from 0 to 100
Two subsequent commits were done to ensure that we ignore vouchers shorter than 5 characters (too short to be a valid voucher):
https://github.com/pfsense/pfsense/commit/9fcbc9ffe38e39e59d7ad098e4e9ba7a378162d9 and https://github.com/pfsense/pfsense/commit/4ccf7dd97ac1e4684fc2c642a1c74209f2bab64a