Bug 7616 - Barnyard2 webui configuration updates result in ****** written to the config for the password #373
Conversation
|
Thanks for this bug fix as well. It had been on my TODO list, but I had not gotten around to it. Bill |
|
@bmeeks8, not a problem, glad to help. Off-topic, but I've been digging around in the redmine issues/roadmap to look for quick hits; if there are other issues of higher priority you'd like me to look at when I've got a little time, let me know. I'm new to pfSense development so I'm still on the learning curve, but happy to dig into items you see as more important. |
|
I suspect the same two bugs you fixed in the Snort GUI package are also present in the Suricata GUI package since those two packages share a lot of identical code. If you have some time and want to take a look for the same code issues in the Suricata package, I would appreciate it. I have been very busy the last year with some outside consulting/contract work and that has taken all of my time I used to be able to dedicate to the Snort and Suricata packages. Thanks again for jumping in and helping out with the package maintenance! Bill |
|
Good thinking, I'll take a look. |
| else | ||
| // Because of the base64 encoding/decoding, in the case of a valid value that hasn't changed, it needs to be re-encoded to base64. | ||
| if ($_POST['barnyard_dbpwd'] != DMYPWD) unset($natent['barnyard_dbpwd']); | ||
| else $natent['barnyard_dbpwd'] = base64_encode($natent['barnyard_dbpwd']); |
There was a problem hiding this comment.
This change is essentially identical to the one submitted for Suricata. The same issue with re-encoding an already encoded password upon a "save" operation exists in Snort since both packages share much of the same GUI code. I am OK with this fix, but I do agree the if/then/else statement indents need fixing up.
Bill
* Provide --version option (#372) * Version information now within generated certificates like on *nix * Fixed issue where gen-dh overwrote existing files without warning (#373) * Fixed issue with ED/EC certificates were still signed by RSA (#374) * Added support for export-p8 (#339) * Clarified error message (#384) * 2->3 upgrade now errors and prints message when vars isn't found (#377)
Changes since 0.3.0: We reached v1.0.0 - fix!: Replace limit flag with paginate by @ankitpokhrel in #359 - fix!: Append components on edit instead of overriding by @ankitpokhrel in #368 - feat!: Append label to an issue, show labels at issue list view by @stchar in #300 - refactor!: Move boards and project list to subcommand by @ankitpokhrel in #314 - feat: Support custom fields on issue create by @ankitpokhrel in #319 - feat: Add support to read from .netrc by @adolsalamanca in #329 - feat: Add support for OS keyrings/-chains by @boyvanamstel in #348 - feat: Support auth with personal access tokens by @marek-veber / @ankitpokhrel in #327 - feat: Allow to set fixVersions on issue creation by @ankitpokhrel in #276 - feat: Allow insecure TLS by @ankitpokhrel in #305 - feat: Add --no-browser option to open cmd by @ankitpokhrel in #308 - feat: Add search option for boards on jira init by @ankitpokhrel in #322 - feat: Add issues unlink command by @sushilkg in #347 - feat: Support refresh for issues list by @GZLiew in #325 - feat: Ability to delete issue by @ankitpokhrel in #336 - feat: Allow to set custom fields on epic create by @ankitpokhrel in #364 - feat: Allow to edit release-info/fixVersions by @ankitpokhrel in #365 - feat: Allow removing labels on edit by @ankitpokhrel in #371 - feat: Support creating issues with custom subtask type by @danobi in #372 - feat: Allow removing component on edit by @ankitpokhrel in #374 - feat: Allow removing fixVersions on edit by @ankitpokhrel in #376 - feat: Support custom fields on issue edit by @ankitpokhrel in #377 - feat: Jira init non-interactive by @ankitpokhrel in #381 - feat: Show subtasks in issue view by @ankitpokhrel in #382 - feat: Allow project filter in raw jql by @ankitpokhrel in #395 - fix: Makefile compatiblity with Make 3.81 by @danmichaelo in #252 - fix: Config generation issue by @ankitpokhrel in #275 - fix(cfg): Strip trailing slash on server name by @ankitpokhrel in #295 - fix: Jira client should respect timeout opt by @ankitpokhrel in #304 - fix: Respect GLAMOUR_STYLE env on issue view by @ankitpokhrel in #317 - fix: Get subtask handle from config by @ankitpokhrel in #296 - fix: Jira wiki parser by @ankitpokhrel in #326 - fix: Display correctly columns in list sprint command help by @adolsalamanca in #320 - fix: Panic on empty sub-list by @ankitpokhrel in #330 - fix: Issue with assigning user by @ankitpokhrel in #321 - fix: OOM bug on issue view by @ankitpokhrel in #350 - fix: Assign parent key as is on edit by @ankitpokhrel in #351 - fix: Add additional check for total boards returned by @ankitpokhrel in #360 - fix: Issue with query param in user assignment by @ankitpokhrel in #380 - fix: Subtask clone by @ankitpokhrel in #383 - fix: editing issue with custom field in non interactive mode by @DrudgeRajen in #391 - dep: Upgrade charmbracelet/glamour to 0.5.0 by @ankitpokhrel in #309 - dep: Upgrade rivo/tview to latest by @ankitpokhrel in #310 - dep: Upgrade outdated packages by @ankitpokhrel in #311 - dep: Upgrade cobra to 1.4.0 by @ankitpokhrel in #373 - Use md ext for tmp file to trigger vim syntax by @ElementalWarrior in #318 Full Changelog: ankitpokhrel/jira-cli@v0.3.0...v1.0.0
The logic of the password input type will send a hardcoded '********' post value when the value has not been edited which was not handled. The changes are to escape when the DMYPWD constant is being passed in. Another aspect of this is that when the value has not changed, it needs to be re-encoded to base64 since it was decrypted during page load.
This is to address Bug-7616.