| Message ID | 20251017094258.632108-1-ummeegge@ipfire.org |
|---|---|
| State | New |
| Headers |
Return-Path: <development+bounces-1223-patchwork=ipfire.org@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4cp0HN4vVrz3wb0 for <patchwork@web04.haj.ipfire.org>; Fri, 17 Oct 2025 09:42:56 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4cp0HN10HNz2S7 for <patchwork@ipfire.org>; Fri, 17 Oct 2025 09:42:56 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cp0HN0J6jz2y5k for <patchwork@ipfire.org>; Fri, 17 Oct 2025 09:42:56 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cp0HK3K66z2xJy for <development@lists.ipfire.org>; Fri, 17 Oct 2025 09:42:53 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cp0HJ3TR2zTh; Fri, 17 Oct 2025 09:42:52 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1760694172; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=uvl1KJJForRO6rh2AR979vG0U9bSbuXDMS2/hbx6aNE=; b=gcipB6+CtdtwDumwWV8k/be1sTvq9WdKxgV5hdd/byRQCAzCJdBchiQjn4jyMT7ZsmqEus gViDIuYE5cJkeVCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1760694172; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=uvl1KJJForRO6rh2AR979vG0U9bSbuXDMS2/hbx6aNE=; b=jMnsAC8c6sQ0IUNrMgrK2INS4RzsJ6FwJ5VB9303M5TBdXIywkGAZghnRJ2LxPwezPdcuB h0ZcvrsoK5i7a58P4eSCiMPnAZz/fm/IoZFXgP+caeqrUDXyAGnxZYgj/zqcc+AS4n0j1Z mUxcqRVC77OYaZv+mp6v+yzXGk9kQDREc0FE9HKy1+58a5HQKTQMozXD5/5sPveNByn8pq oPnP1+nSkRDPJwa9NM/TFmat9pEiM7IfSC7sA3MKrVCwK5Len6G5Uw9+8Auvu4KxPhyHlu S6qETWZeSqc4kN3HfK/SnQH2MIxkRrFgVWUV4E1cZsEN6mkTWvcrvutz/FDXlg== From: ummeegge <ummeegge@ipfire.org> To: development@lists.ipfire.org Cc: ummeegge <ummeegge@ipfire.org> Subject: [PATCH] wlanap.cgi: Save IEEE80211W 'optional' value correctly Date: Fri, 17 Oct 2025 11:42:54 +0200 Message-ID: <20251017094258.632108-1-ummeegge@ipfire.org> Precedence: list List-Id: <development.lists.ipfire.org> List-Subscribe: <https://lists.ipfire.org/>, <mailto:development+subscribe@lists.ipfire.org?subject=subscribe> List-Unsubscribe: <https://lists.ipfire.org/>, <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development+help@lists.ipfire.org?subject=help> Sender: <development@lists.ipfire.org> Mail-Followup-To: <development@lists.ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit |
| Series |
wlanap.cgi: Save IEEE80211W 'optional' value correctly
|
|
Commit Message
ummeegge
17 Oct 2025, 9:42 a.m. UTC
Original ternary ignored 'optional' and forced 'off'.
Use defined-or (//) to preserve all select values.
Signed-off-by: ummeegge <ummeegge@ipfire.org>
---
html/cgi-bin/wlanap.cgi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
Hello Erik,
Thank you for your patch.
I cannot quite merge this because the patch changes behaviour so that the browser could write arbitrary values into the configuration file without further sanitisation. To fix this, we must check if $cgiparams{'IEEE80211W’} contains one of three possible values.
Would you like to update this patch accordingly?
-Michael
> On 17 Oct 2025, at 10:42, ummeegge <ummeegge@ipfire.org> wrote:
>
> Original ternary ignored 'optional' and forced 'off'.
> Use defined-or (//) to preserve all select values.
>
> Signed-off-by: ummeegge <ummeegge@ipfire.org>
> ---
> html/cgi-bin/wlanap.cgi | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi
> index 600ddc489..afdba59b3 100644
> --- a/html/cgi-bin/wlanap.cgi
> +++ b/html/cgi-bin/wlanap.cgi
> @@ -118,7 +118,7 @@ if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}") {
> $wlanapsettings{'NOSCAN'} = ($cgiparams{'NOSCAN'} eq 'on') ? 'on' : 'off';
> $wlanapsettings{'ENC'} = $cgiparams{'ENC'};
> $wlanapsettings{'PWD'} = $cgiparams{'PWD'};
> - $wlanapsettings{'IEEE80211W'} = ($cgiparams{'IEEE80211W'} eq 'on') ? 'on' : 'off';
> + $wlanapsettings{'IEEE80211W'} = $cgiparams{'IEEE80211W'} // 'off';
> $wlanapsettings{'TX_POWER'} = $cgiparams{'TX_POWER'};
>
> if ($errormessage eq '') {
> --
> 2.47.2
>
>
Hi Michael, hope version 2 fits the needs. Best, Erik Am Mittwoch, dem 22.10.2025 um 11:17 +0100 schrieb Michael Tremer: > Hello Erik, > > Thank you for your patch. > > I cannot quite merge this because the patch changes behaviour so that > the browser could write arbitrary values into the configuration file > without further sanitisation. To fix this, we must check if > $cgiparams{'IEEE80211W’} contains one of three possible values. > > Would you like to update this patch accordingly? > > -Michael > > > On 17 Oct 2025, at 10:42, ummeegge <ummeegge@ipfire.org> wrote: > > > > Original ternary ignored 'optional' and forced 'off'. > > Use defined-or (//) to preserve all select values. > > > > Signed-off-by: ummeegge <ummeegge@ipfire.org> > > --- > > html/cgi-bin/wlanap.cgi | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi > > index 600ddc489..afdba59b3 100644 > > --- a/html/cgi-bin/wlanap.cgi > > +++ b/html/cgi-bin/wlanap.cgi > > @@ -118,7 +118,7 @@ if ($cgiparams{'ACTION'} eq > > "$Lang::tr{'save'}") { > > $wlanapsettings{'NOSCAN'} = ($cgiparams{'NOSCAN'} eq 'on') ? 'on' : > > 'off'; > > $wlanapsettings{'ENC'} = $cgiparams{'ENC'}; > > $wlanapsettings{'PWD'} = $cgiparams{'PWD'}; > > - $wlanapsettings{'IEEE80211W'} = ($cgiparams{'IEEE80211W'} eq > > 'on') ? 'on' : 'off'; > > + $wlanapsettings{'IEEE80211W'} = $cgiparams{'IEEE80211W'} // > > 'off'; > > $wlanapsettings{'TX_POWER'} = $cgiparams{'TX_POWER'}; > > > > if ($errormessage eq '') { > > -- > > 2.47.2 > > > >
Hello Erik, Yes, thank you. That looks good to me. -Michael > On 22 Oct 2025, at 19:02, ummeegge <ummeegge@ipfire.org> wrote: > > Hi Michael, > hope version 2 fits the needs. > > Best, > > Erik > > Am Mittwoch, dem 22.10.2025 um 11:17 +0100 schrieb Michael Tremer: >> Hello Erik, >> >> Thank you for your patch. >> >> I cannot quite merge this because the patch changes behaviour so that >> the browser could write arbitrary values into the configuration file >> without further sanitisation. To fix this, we must check if >> $cgiparams{'IEEE80211W’} contains one of three possible values. >> >> Would you like to update this patch accordingly? >> >> -Michael >> >>> On 17 Oct 2025, at 10:42, ummeegge <ummeegge@ipfire.org> wrote: >>> >>> Original ternary ignored 'optional' and forced 'off'. >>> Use defined-or (//) to preserve all select values. >>> >>> Signed-off-by: ummeegge <ummeegge@ipfire.org> >>> --- >>> html/cgi-bin/wlanap.cgi | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi >>> index 600ddc489..afdba59b3 100644 >>> --- a/html/cgi-bin/wlanap.cgi >>> +++ b/html/cgi-bin/wlanap.cgi >>> @@ -118,7 +118,7 @@ if ($cgiparams{'ACTION'} eq >>> "$Lang::tr{'save'}") { >>> $wlanapsettings{'NOSCAN'} = ($cgiparams{'NOSCAN'} eq 'on') ? 'on' : >>> 'off'; >>> $wlanapsettings{'ENC'} = $cgiparams{'ENC'}; >>> $wlanapsettings{'PWD'} = $cgiparams{'PWD'}; >>> - $wlanapsettings{'IEEE80211W'} = ($cgiparams{'IEEE80211W'} eq >>> 'on') ? 'on' : 'off'; >>> + $wlanapsettings{'IEEE80211W'} = $cgiparams{'IEEE80211W'} // >>> 'off'; >>> $wlanapsettings{'TX_POWER'} = $cgiparams{'TX_POWER'}; >>> >>> if ($errormessage eq '') { >>> -- >>> 2.47.2 >>> >>> >
diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi index 600ddc489..afdba59b3 100644 --- a/html/cgi-bin/wlanap.cgi +++ b/html/cgi-bin/wlanap.cgi @@ -118,7 +118,7 @@ if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}") { $wlanapsettings{'NOSCAN'} = ($cgiparams{'NOSCAN'} eq 'on') ? 'on' : 'off'; $wlanapsettings{'ENC'} = $cgiparams{'ENC'}; $wlanapsettings{'PWD'} = $cgiparams{'PWD'}; - $wlanapsettings{'IEEE80211W'} = ($cgiparams{'IEEE80211W'} eq 'on') ? 'on' : 'off'; + $wlanapsettings{'IEEE80211W'} = $cgiparams{'IEEE80211W'} // 'off'; $wlanapsettings{'TX_POWER'} = $cgiparams{'TX_POWER'}; if ($errormessage eq '') {