github
/
openvpn-gui
mirror of https://github.com/OpenVPN/openvpn-gui
1
0
Fork 0
Code Issues Releases Wiki Activity

Check for invalid characters in user inputs 

- Flag password and username input if these contain an invalid character
  (currently only embedded '\n' is disallowed). Shows a popup when OK
  is pressed so that the user can correct the input and resubmit.

- Add an error message to the log when the management i/f returns
  ERROR for incorrectly parsed commands. Otherwise such errors go
  unnoticed.

Note: IDS_ERR_INVALID_USERNAME/PASSWORD need translations.

Reported and tested by: Florian Beier (H4ndl3 on github)
Fixes Trac: #958

Signed-off-by: Selva Nair <selva.nair@gmail.com>
pull/194/head
Selva Nair 2017-11-18 10:14:25 -05:00
parent 8eb06fa697
commit 301a5e5644
6 changed files with 74 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
manage.c
View File

@ -340,6 +340,12 @@ OnManagement(SOCKET sk, LPARAM lParam)
}
else if (strncmp(line, "ERROR:", 6) == 0)
{
/* Response sent to management is not processed. Log an error in status window */
char buf[256];
_snprintf_0(buf, "%lld,N,Previous command sent to management failed: %s",
(long long)time(NULL), line)
rtmsg_handler[log](c, buf);
if (cmd->handler)
cmd->handler(c, NULL);
UnqueueCommand(c);

9
misc.c
View File

@ -453,3 +453,12 @@ Widen(const char *utf8)
return wstr;
}
/* Return false if input contains any characters in exclude */
BOOL
validate_input(const WCHAR *input, const WCHAR *exclude)
{
if (!exclude)
exclude = L"\n";
return (wcspbrk(input, exclude) == NULL);
}

1
misc.h
View File

@ -39,4 +39,5 @@ BOOL CheckFileAccess (const TCHAR *path, int access);
BOOL Base64Encode(const char *input, int input_len, char **output);
int Base64Decode(const char *input, char **output);
WCHAR *Widen(const char *utf8);
BOOL validate_input(const WCHAR *input, const WCHAR *exclude);
#endif

4
openvpn-gui-res.h
View File

@ -310,6 +310,10 @@
#define IDS_NFO_AUTH_PASS_RETRY 2150
#define IDS_NFO_KEY_PASS_RETRY 2151
/* Invalid input errors */
#define IDS_ERR_INVALID_PASSWORD_INPUT 2152
#define IDS_ERR_INVALID_USERNAME_INPUT 2153
/* Timer IDs */
#define IDT_STOP_TIMER 2500 /* Timer used to trigger force termination */

60
openvpn.c
View File

@ -33,6 +33,7 @@
#include <process.h>
#include <richedit.h>
#include <time.h>
#include <commctrl.h>
#include "tray.h"
#include "main.h"
@ -99,6 +100,22 @@ AppendTextToCaption (HANDLE hwnd, const WCHAR *str)
SetWindowText (hwnd, new);
}
/*
* Show an error tooltip with msg attached to the specified
* editbox handle.
*/
static void
show_error_tip(HWND editbox, const WCHAR *msg)
{
EDITBALLOONTIP bt;
bt.cbStruct = sizeof(EDITBALLOONTIP);
bt.pszText = msg;
bt.pszTitle = L"Invalid input";
bt.ttiIcon = TTI_ERROR_LARGE;
SendMessage(editbox, EM_SHOWBALLOONTIP, 0, (LPARAM)&bt);
}
/*
* Receive banner on connection to management interface
* Format: <BANNER>
@ -364,13 +381,25 @@ UserAuthDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
case IDOK:
if (GetDlgItemTextW(hwndDlg, ID_EDT_AUTH_USER, username, _countof(username)))
{
if (!validate_input(username, L"\n"))
{
show_error_tip(GetDlgItem(hwndDlg, ID_EDT_AUTH_USER), LoadLocalizedString(IDS_ERR_INVALID_USERNAME_INPUT));
return 0;
}
SaveUsername(param->c->config_name, username);
}
if ( param->c->flags & FLAG_SAVE_AUTH_PASS &&
GetDlgItemTextW(hwndDlg, ID_EDT_AUTH_PASS, password, _countof(password)) &&
wcslen(password) )
if (GetDlgItemTextW(hwndDlg, ID_EDT_AUTH_PASS, password, _countof(password)))
{
SaveAuthPass(param->c->config_name, password);
if (!validate_input(password, L"\n"))
{
show_error_tip(GetDlgItem(hwndDlg, ID_EDT_AUTH_PASS), LoadLocalizedString(IDS_ERR_INVALID_PASSWORD_INPUT));
SecureZeroMemory(password, sizeof(password));
return 0;
}
if ( param->c->flags & FLAG_SAVE_AUTH_PASS && wcslen(password) )
{
SaveAuthPass(param->c->config_name, password);
}
SecureZeroMemory(password, sizeof(password));
}
ManagementCommandFromInput(param->c, "username \"Auth\" \"%s\"", hwndDlg, ID_EDT_AUTH_USER);
@ -418,6 +447,7 @@ INT_PTR CALLBACK
GenericPassDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
{
auth_param_t *param;
WCHAR password[USER_PASS_LEN];
switch (msg)
{
@ -467,6 +497,13 @@ GenericPassDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
switch (LOWORD(wParam))
{
case IDOK:
if (GetDlgItemTextW(hwndDlg, ID_EDT_RESPONSE, password, _countof(password))
&& !validate_input(password, L"\n"))
{
show_error_tip(GetDlgItem(hwndDlg, ID_EDT_RESPONSE), LoadLocalizedString(IDS_ERR_INVALID_PASSWORD_INPUT));
SecureZeroMemory(password, sizeof(password));
return 0;
}
if (param->flags & FLAG_CR_TYPE_CRV1)
{
/* send username */
@ -586,11 +623,18 @@ PrivKeyPassDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
break;
case IDOK:
if ((c->flags & FLAG_SAVE_KEY_PASS) &&
GetDlgItemTextW(hwndDlg, ID_EDT_PASSPHRASE, passphrase, _countof(passphrase)) &&
wcslen(passphrase) > 0)
if (GetDlgItemTextW(hwndDlg, ID_EDT_PASSPHRASE, passphrase, _countof(passphrase)))
{
SaveKeyPass(c->config_name, passphrase);
if (!validate_input(passphrase, L"\n"))
{
show_error_tip(GetDlgItem(hwndDlg, ID_EDT_PASSPHRASE), LoadLocalizedString(IDS_ERR_INVALID_PASSWORD_INPUT));
SecureZeroMemory(passphrase, sizeof(passphrase));
return 0;
}
if ((c->flags & FLAG_SAVE_KEY_PASS) && wcslen(passphrase) > 0)
{
SaveKeyPass(c->config_name, passphrase);
}
SecureZeroMemory(passphrase, sizeof(passphrase));
}
ManagementCommandFromInput(c, "password \"Private Key\" \"%s\"", hwndDlg, ID_EDT_PASSPHRASE);

3
res/openvpn-gui-res-en.rc
View File

@ -458,5 +458,6 @@ BEGIN
IDS_NFO_AUTH_PASS_RETRY "Wrong username or password. Try again..."
IDS_NFO_KEY_PASS_RETRY "Wrong password. Try again..."
IDS_ERR_INVALID_PASSWORD_INPUT "Invalid character in password"
IDS_ERR_INVALID_USERNAME_INPUT "Invalid character in username"
END