Bug/Design Flaw in handling variables

Discussion in 'X-WRT - OpenWRT Firmware' started by penkert, Sep 12, 2007.

  1. penkert

    penkert Network Guru Member

    Bug/Design Flaw in handling variables (X-WRT)

    I have the latest stable release (r3529) of X-WRT for White Russian 0.9 installed and I'm using WPA PSK keys that have been created by a random process. Because of that I noticed a weakness of X-WRT when it comes to handling user input variable data.

    For instance, if the WPA PSK key contains a vertical bar "|" this will chop the key apart at that exact location the next time it is loaded into the X-WRT wireless settings page. This problem is not limited to the "WPA PSK" field or the "Wireless Configuration" page, nor is the "|" character the only critical character there is.

    I think the problem is not just a little bug but lies burried deeper in the way X-WRT (and I believe also the original White Russian webif) handles and remembers variables before commiting them to the nvram. So my questions is: Will this ever be fixed? Is the problem still present in the latest milestone 3 snapshots?
  2. Bill_MI

    Bill_MI Network Guru Member

    I don't run X-Wrt but tested Whiterussian 0.9 at the nvram command. Strangely, I did NOT find (|) to be a problem for setting the variable (wl0_wpa_psk). I only found (\), (") and (`). These can have a (\) placed in front of them.

    To set desired ab\cd"ef`gh in wl0_wpa_psk:
    nvram set wl0_wpa_psk="ab\\cd\"ef\`gh"

    This is a workaround if you have to use these characters. I imagine X-Wrt has something like this in the webif and must be doing something special, perhaps a bug in handling (|).
  3. penkert

    penkert Network Guru Member

    Yes, within the SSH shell quotes and backslashes need to be escaped by a preceding backslash in these situations. (In fact, in the end this was exactly what I did to enter my desired WPA key.)

    The bug is only present in the web interface! So whenever you have a value containing a "|" (or some other sensitive symbols) the value is truncated and the first part is shown in the corresponding form field while the rest appears as clear HTML text right underneath the input field.
  4. thepeople

    thepeople LI Guru Member

  5. penkert

    penkert Network Guru Member

    OK, just did that. Thanks thepeople!
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice