Modify

Opened 3 years ago

Closed 3 years ago

#20096 closed defect (fixed)

Wireless configuration may update the WiFi key to router's login password

Reported by: gvalkov Owned by: developers
Priority: high Milestone: Chaos Calmer 15.05
Component: packages Version: Trunk
Keywords: saved login password LuCI wireless key administration Cc:

Description

Saved administration site user and pass may appear on the Wireless configuration page. As shown on the attached image, the create Network field is automatically filled with the user name root, while the Key contains my password. Pressing Save & Apply will replace the Key. Router connectivity is lost until the correct Key is configured over LAN cable. The workaround is to always re-enter the original Key, every time I need to update a setting.

Affected browser: Google Chrome.
Requires that the LuCI user and pass are saved on the browser.

Analysing the web page source code shows that both fields use the same class="cbi-input-password":

<input class="cbi-input-password" type="password" name="luci_password" />

<input type="password" class="cbi-input-password" onchange="cbi_d_update(this.id)" name="cbid.wireless.cfg073579._wpa_key" id="cbid.wireless.cfg073579._wpa_key" value="********" />

Attachments (3)

2015-07-16_01 wrong wifi data.png (135.9 KB) - added by gvalkov 3 years ago.
2015-07-16 login password replaces wireless key
0001-Workaround-saved-administration-site-user-and-pass-m.patch (990 bytes) - added by gvalkov 3 years ago.
Add a dummy hidden password box in template network_netlist.htm
0002-Mod-Show-the-WPA-key-by-default.patch (974 bytes) - added by gvalkov 3 years ago.
Mod: Show the WPA key by default

Download all attachments as: .zip

Change History (8)

comment:1 Changed 3 years ago by jow

I'm aware of the problem but I didn't find a way yet to prevent browsers from doing that...

Changed 3 years ago by gvalkov

2015-07-16 login password replaces wireless key

comment:2 Changed 3 years ago by anonymous

according to
https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

and
https://developer.mozilla.org/en/docs/Web/HTML/Element/form#Google_Chrome_notes

BOTH the <form> and the <input> tags should have the attribute autocomplete="off"

and they should look somewhat similar to this:
form:

<form autocomplete="off" method="post" name="cbi"
action="" 
enctype="multipart/form-data" onreset="return cbi_validate_reset(this)" 
onsubmit="return cbi_validate_form(this, 'Some fields are invalid, cannot save values!')">

Also, Chrome has a habit of sometimes ignoring the autocomplete attribute so just to make sure that it doesn't mess with the form then create a few dummy fields before all the other fields and make them hidden with "display:none".

(note: the dummy ones do not have the autocomplete attribute set.
Also, keep the comment about the reason for using the hidden inputs
in the html source too.)

<!-- these are needed for Chrome autofill messing the form -->
<input style="display:none" type="password" name="dummypassword">
<input style="display:none" type="text" name="dummytext">


(real input fields)
<input autocomplete="off" class="cbi-input-password" type="password" name="luci_password"  />

<input autocomplete="off" type="password" class="cbi-input-password" 
onchange="cbi_d_update(this.id)" name="cbid.wireless.cfg073579._wpa_key" 
id="cbid.wireless.cfg073579._wpa_key" value="********" />

comment:3 Changed 3 years ago by gvalkov

Hello Jow and anonymous!
After following your ideas and doing research, I found two workarounds:

  1. Add a dummy hidden password box in template network_netlist.htm
/usr/lib/lua/luci/view/cbi/network_netlist.htm
modules/luci-base/luasrc/view/cbi/network_netlist.htm

line 62:
+			<input style="display:none" type="password" />
			<input style="width:6em" type="text"<%=attr("name", cbid .. ".newnet")%> onfocus="document.getElementById('<%=cbid%>_new').checked=true" />
  1. Change the password box to text:
/usr/lib/lua/luci/model/cbi/admin_network/wifi.lua
modules/luci-mod-admin-full/luasrc/model/cbi/admin_network/wifi.lua

line 800:
-			wpakey.password = true
+			wpakey.password = false

Unfortunately I wasn't able to manipulate HTML directly from wifi.lua, so adding autocomplete="off" to the password would require more experience. Alas it's my first day messing with Lua and LuCI and I have a lot to learn. :) The form is one level above wifi.lua and while it might be possible to act there, it needs more research.

Jow, do you think workaround 1 is suitable for a commit? As for number 2, I always wanted to have the WPA key visible by default, so I'm going to use it on my own builds. ;)

Last edited 3 years ago by gvalkov (previous) (diff)

Changed 3 years ago by gvalkov

Add a dummy hidden password box in template network_netlist.htm

Changed 3 years ago by gvalkov

Mod: Show the WPA key by default

comment:4 Changed 3 years ago by gvalkov

Fixed: my patch has been accepted. Thank you Jo-Philipp Wich!

comment:5 Changed 3 years ago by florian

  • Resolution set to fixed
  • Status changed from new to closed

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.