Project

General

Profile

Bug #6688

Special characters in a password cause problems

Added by John Dickinson over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Dynamic DNS
Target version:
Start date:
08/09/2016
Due date:
% Done:

100%

Affected Version:
All
Affected Architecture:

Description

With the following config snippet (some info redacted), pfsense reports:

php-fpm[71756]: /services_dyndns_edit.php: phpDynDNS (home): (Error) Not a valid username or password!

After changing the password in OpenDNS to something that had different special characters, the issue is resolved (ie OpenDNS is updated properly).

<dyndnses>
    <dyndns>
        <type>opendns</type>
        <username>XXX-redacted-XXX</username>
        <password>dy[&gt;9nk?27ymz2u2khWVTi}2Mkra?yPRuBW[,9QR4U27&gt;Qz*C+</password>
        <host>home</host>
        <domainname/>
        <mx/>
        <enable/>
        <interface>wan</interface>
        <zoneid/>
        <ttl/>
        <updateurl/>
        <resultmatch/>
        <requestif>wan</requestif>
        <descr><![CDATA[OpenDNS]]></descr>
        <force/>
        <id>0</id>
    </dyndns>
</dyndnses>

Associated revisions

Revision 86584ded
Added by Jim Pingle about 1 year ago

Store Dynamic DNS passwords in Base64 to protect special characters. Fixes #6688

History

#1 Updated by Jim Pingle over 1 year ago

  • Category set to Dynamic DNS
  • Target version set to 2.4.0
  • Affected Version set to All

If that example you posted is the one that didn't work, I can see why. Looks like ">" was changed to "&gt;" twice in the same password.

The password field probably needs to be base64 encoded in config.xml so it doesn't fall into traps like that.

#2 Updated by John Dickinson about 1 year ago

Although I don't really know PHP, I can dive into the code and poke around. It looks like it's pretty easy to do base64 encode/decode, and that would fix it for me. However, I'm not really sure how to tackle the migration or testing issue. I can simply decode whatever's there in the field now, because that would break existing users who have set the password, and it doesn't seem very friendly to force users to re-enter their password so it can be encoded. And for testing, I don't really know how that works for PHP.

Any guidance would be appreciated.

#3 Updated by Phillip Davis about 1 year ago

Have a look at the end of https://github.com/pfsense/pfsense/blob/master/src/etc/inc/upgrade_config.inc
You can add a new section there that will encode existing passwords.
Increment the latest_config number in globals.inc and check https://github.com/pfsense/pfsense/blob/master/src/conf.default/config.xml (the default config provided on install and reset to factory defaults)
This commit had recent code that upgraded the config, useful as an example:
https://github.com/pfsense/pfsense/commit/2ce5cd33ef6434d3eb265c59f06e6ffb4930f0d9

#4 Updated by Jim Thompson about 1 year ago

  • Assignee set to Jim Pingle

Please look at Phil'a patch

#5 Updated by Jim Pingle about 1 year ago

I committed a fix to store the passwords in base64. Worked fine here but could use more testing. 2.4 only for the time being.

#6 Updated by Jim Pingle about 1 year ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#7 Updated by Jim Pingle about 1 year ago

  • Status changed from Feedback to Resolved

Base64 encoding works fine here.

Also available in: Atom PDF