Clear password used for profile import

- HTTP auth password appears to be cached and reused
  unless replaced by a non-empty string. When user-supplied
  password is empty, use some arbitrary string "x" as the
  password.

- Make username required for generic URL as well.

- Also clear password buffers after use.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
pull/461/head
Selva Nair 3 years ago
parent 69195ee6b1
commit 5fd17835f5

21
as.c

@ -322,6 +322,12 @@ DownloadProfile(HANDLE hWnd, const struct UrlComponents *comps, const char *user
char password[USER_PASS_LEN] = { 0 }; char password[USER_PASS_LEN] = { 0 };
strncpy_s(password, _countof(password), password_orig, _TRUNCATE); strncpy_s(password, _countof(password), password_orig, _TRUNCATE);
/* empty password causes reuse of previously cached value -- set it to some character */
if (strlen(password) == 0)
{
password[0] = 'x';
}
hInternet = InternetOpenW(L"openvpn-gui/1.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); hInternet = InternetOpenW(L"openvpn-gui/1.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
if (!hInternet) { if (!hInternet) {
ShowWinInetError(hWnd); ShowWinInetError(hWnd);
@ -491,6 +497,9 @@ done:
if (buf) if (buf)
free(buf); free(buf);
/* wipe the password */
SecureZeroMemory(password, sizeof(password));
if (hRequest) if (hRequest)
InternetCloseHandle(hRequest); InternetCloseHandle(hRequest);
@ -541,10 +550,9 @@ ImportProfileFromURLDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
case ID_EDT_AUTH_PASS: case ID_EDT_AUTH_PASS:
case ID_EDT_URL: case ID_EDT_URL:
if (HIWORD(wParam) == EN_UPDATE) { if (HIWORD(wParam) == EN_UPDATE) {
/* enable OK button only if url and username (for AS only) are filled */ /* enable OK button only if url and username are filled */
BOOL enableOK = GetWindowTextLengthW(GetDlgItem(hwndDlg, ID_EDT_URL)) BOOL enableOK = GetWindowTextLengthW(GetDlgItem(hwndDlg, ID_EDT_URL))
&& (type == server_generic && GetWindowTextLengthW(GetDlgItem(hwndDlg, ID_EDT_AUTH_USER));
|| GetWindowTextLengthW(GetDlgItem(hwndDlg, ID_EDT_AUTH_USER)));
EnableWindow(GetDlgItem(hwndDlg, IDOK), enableOK); EnableWindow(GetDlgItem(hwndDlg, IDOK), enableOK);
} }
break; break;
@ -577,11 +585,14 @@ ImportProfileFromURLDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
} }
BOOL downloaded = DownloadProfile(hwndDlg, &comps, username, password, path, _countof(path)); BOOL downloaded = DownloadProfile(hwndDlg, &comps, username, password, path, _countof(path));
if (username_len != 0) if (username_len > 0)
free(username); free(username);
if (password_len != 0) if (password_len > 0)
{
SecureZeroMemory(password, strlen(password));
free(password); free(password);
}
if (downloaded) { if (downloaded) {
EndDialog(hwndDlg, LOWORD(wParam)); EndDialog(hwndDlg, LOWORD(wParam));

Loading…
Cancel
Save