Project

General

Profile

Bug #9327

Using the character "¤" in OpenVPN password field creates invalid config.xml

Added by Mikael Östergren about 1 year ago. Updated 2 months ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
OpenVPN
Target version:
Start date:
02/15/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

Hi!
Maybe you guys want to know about this one. First post for me to this bugtracker. Hope I'm doing things right here.

Using the character "¤" in OpenVPN password field creates invalid config.xml

(¤)

Error messages produced:

Feb 14 23:26:11     php-fpm         /vpn_openvpn_client.php: New alert found: pfSense is restoring the configuration /cf/conf/backup/config-1550183040.xml
Feb 14 23:26:11     php-fpm         /vpn_openvpn_client.php: pfSense is restoring the configuration /cf/conf/backup/config-1550183040.xml
Feb 14 23:26:11     php-fpm         /vpn_openvpn_client.php: XML error: Undeclared entity error at line 3461 in /conf/config.xml

config.xml.bad

<auth_pass>zYdfrJn&curren;bE</auth_pass>

Heads up is that the OpenVPN client#.conf and related files are created /var/etc/openvpn and used by the OpenVPN, so you got a connection which is active without seening it under OpenVPN/Client or Status/OpenVPN.

Skipping the odd character does make it work as it should.

Made a post in the forum first.
https://forum.netgate.com/topic/140616/adding-client-configuration-results-in-automatic-restored-config-added-logs-show-connection

Associated revisions

Revision 327ad811 (diff)
Added by Jim Pingle 3 months ago

CDATA escape more auth-related fields. Fixes #9327

Revision 809e196a (diff)
Added by Jim Pingle 3 months ago

CDATA escape more auth-related fields. Fixes #9327

(cherry picked from commit 327ad811aa5f965ba805ea78f879c759ca0fdafa)

History

#1 Updated by Jim Pingle about 1 year ago

  • Priority changed from Normal to Low
  • Affected Version changed from 2.4.4_2 to All
  • Affected Architecture All added
  • Affected Architecture deleted ()

It happens because that password field is not CDATA escaped or encoded with base64 in config.xml -- The character you entered is not valid in XML.

We can fix it, though, by changing the field in either of the ways I mentioned.

#2 Updated by Jim Pingle 3 months ago

  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

Looks like the easiest fix is to CDATA escape that field.

#3 Updated by Jim Pingle 3 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#4 Updated by Jim Pingle 3 months ago

  • Target version changed from 2.5.0 to 2.4.5

#5 Updated by Jim Pingle 2 months ago

  • Status changed from Feedback to Resolved

The problem password saves as expected on 2.4.5.a.20191218.2354 -- Field is CDATA protected and does not result in any errors.

Also available in: Atom PDF