From 5fd17835f5b9f538db5d95bf8f7bec12daa680d5 Mon Sep 17 00:00:00 2001
From: Selva Nair <selva.nair@gmail.com>
Date: Tue, 31 Aug 2021 18:18:49 -0400
Subject: [PATCH] Clear password used for profile import

- HTTP auth password appears to be cached and reused
  unless replaced by a non-empty string. When user-supplied
  password is empty, use some arbitrary string "x" as the
  password.

- Make username required for generic URL as well.

- Also clear password buffers after use.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
 as.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/as.c b/as.c
index f53b50b..ae0276b 100644
--- a/as.c
+++ b/as.c
@@ -322,6 +322,12 @@ DownloadProfile(HANDLE hWnd, const struct UrlComponents *comps, const char *user
     char password[USER_PASS_LEN] = { 0 };
     strncpy_s(password, _countof(password), password_orig, _TRUNCATE);
 
+    /* empty password causes reuse of previously cached value -- set it to some character */
+    if (strlen(password) == 0)
+    {
+        password[0] = 'x';
+    }
+
     hInternet = InternetOpenW(L"openvpn-gui/1.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
     if (!hInternet) {
         ShowWinInetError(hWnd);
@@ -491,6 +497,9 @@ done:
     if (buf)
         free(buf);
 
+    /* wipe the password */
+    SecureZeroMemory(password, sizeof(password));
+
     if (hRequest)
         InternetCloseHandle(hRequest);
 
@@ -541,10 +550,9 @@ ImportProfileFromURLDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
         case ID_EDT_AUTH_PASS:
         case ID_EDT_URL:
             if (HIWORD(wParam) == EN_UPDATE) {
-                /* enable OK button only if url and username (for AS only) are filled */
+                /* enable OK button only if url and username are filled */
                 BOOL enableOK = GetWindowTextLengthW(GetDlgItem(hwndDlg, ID_EDT_URL))
-                    && (type == server_generic
-                        || GetWindowTextLengthW(GetDlgItem(hwndDlg, ID_EDT_AUTH_USER)));
+                    && GetWindowTextLengthW(GetDlgItem(hwndDlg, ID_EDT_AUTH_USER));
                 EnableWindow(GetDlgItem(hwndDlg, IDOK), enableOK);
             }
             break;
@@ -577,11 +585,14 @@ ImportProfileFromURLDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
             }
             BOOL downloaded = DownloadProfile(hwndDlg, &comps, username, password, path, _countof(path));
 
-            if (username_len != 0)
+            if (username_len > 0)
                 free(username);
 
-            if (password_len != 0)
+            if (password_len > 0)
+            {
+                SecureZeroMemory(password, strlen(password));
                 free(password);
+            }
 
             if (downloaded) {
                 EndDialog(hwndDlg, LOWORD(wParam));