github
/
openvpn-gui
mirror of https://github.com/OpenVPN/openvpn-gui
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

Clear password used for profile import 

- HTTP auth password appears to be cached and reused
  unless replaced by a non-empty string. When user-supplied
  password is empty, use some arbitrary string "x" as the
  password.

- Make username required for generic URL as well.

- Also clear password buffers after use.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
pull/461/head
Selva Nair 3 years ago
parent
69195ee6b1
commit
5fd17835f5
1 changed files with 16 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 21
      as.c

21
as.c
Unescape View File

@ -322,6 +322,12 @@ DownloadProfile(HANDLE hWnd, const struct UrlComponents *comps, const char *user
char password[USER_PASS_LEN] = { 0 }; char password[USER_PASS_LEN] = { 0 };
strncpy_s(password, _countof(password), password_orig, _TRUNCATE); strncpy_s(password, _countof(password), password_orig, _TRUNCATE);
/* empty password causes reuse of previously cached value -- set it to some character */
if (strlen(password) == 0)
{
password[0] = 'x';
}
hInternet = InternetOpenW(L"openvpn-gui/1.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); hInternet = InternetOpenW(L"openvpn-gui/1.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
if (!hInternet) { if (!hInternet) {
ShowWinInetError(hWnd); ShowWinInetError(hWnd);
@ -491,6 +497,9 @@ done:
if (buf) if (buf)
free(buf); free(buf);
/* wipe the password */
SecureZeroMemory(password, sizeof(password));
if (hRequest) if (hRequest)
InternetCloseHandle(hRequest); InternetCloseHandle(hRequest);
@ -541,10 +550,9 @@ ImportProfileFromURLDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
case ID_EDT_AUTH_PASS: case ID_EDT_AUTH_PASS:
case ID_EDT_URL: case ID_EDT_URL:
if (HIWORD(wParam) == EN_UPDATE) { if (HIWORD(wParam) == EN_UPDATE) {
/* enable OK button only if url and username (for AS only) are filled */ /* enable OK button only if url and username are filled */
BOOL enableOK = GetWindowTextLengthW(GetDlgItem(hwndDlg, ID_EDT_URL)) BOOL enableOK = GetWindowTextLengthW(GetDlgItem(hwndDlg, ID_EDT_URL))
&& (type == server_generic && GetWindowTextLengthW(GetDlgItem(hwndDlg, ID_EDT_AUTH_USER));
|| GetWindowTextLengthW(GetDlgItem(hwndDlg, ID_EDT_AUTH_USER)));
EnableWindow(GetDlgItem(hwndDlg, IDOK), enableOK); EnableWindow(GetDlgItem(hwndDlg, IDOK), enableOK);
} }
break; break;
@ -577,11 +585,14 @@ ImportProfileFromURLDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
} }
BOOL downloaded = DownloadProfile(hwndDlg, &comps, username, password, path, _countof(path)); BOOL downloaded = DownloadProfile(hwndDlg, &comps, username, password, path, _countof(path));
if (username_len != 0) if (username_len > 0)
free(username); free(username);
if (password_len != 0) if (password_len > 0)
{
SecureZeroMemory(password, strlen(password));
free(password); free(password);
}
if (downloaded) { if (downloaded) {
EndDialog(hwndDlg, LOWORD(wParam)); EndDialog(hwndDlg, LOWORD(wParam));

Write Preview
Loading…
Cancel
Save