-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openmediavault-luksencryption add password does not accept blanks (probably quoting problem, security-relevant) #48
Comments
The passphrase should be escaped - https://github.com/OpenMediaVault-Plugin-Developers/openmediavault-luksencryption/blob/master/usr/share/php/openmediavault/system/storage/luks/container.inc#L512. I will need to setup a test system to test this. I don't currently have much time to do that though. Feel free to send a pull request.
It shouldn't. |
I experienced the same problem:
If I understand the log correctly: Could it be that the cryptsetup command is called via |
Yep. This seems to be the problem: I just made a bash script with the command from the log entry and ran it through shellcheck:
|
A workaround for now seems to be to enter the passphrase in double quotes: @meyergru: Are you sure this gets logged? I also don't want my passwords to be safed in logs and tried to delete them but I couldn't find any logfile nor anything in journalctl that would contain this... |
Describe the bug
When I try to add a password via the GUI that contains blanks, I get an error like this:
To show and or protocol such an error is bad (tm), since that line gets logged (probably also remotely, if enabled) and thus renders all passwords insecure.
Also, the quoting is probably incorrect since such errors do not occur when they consist only of numbers and letters. I suspect that it coughs on other special characters as well.
To Reproduce
Use the GUI to add a password. Choose a password with a blank in it.
Expected behavior
No error. And if there is an error, no log entry with the cleartext passwords in it.
Reference to Forum
https://forum.openmediavault.org/index.php?thread/47819-bug-report-openmediavault-luksencryption-add-password-does-not-accept-blanks-pro/
openmediavault Server (please complete the following information):
Client (please complete the following information):
none
The text was updated successfully, but these errors were encountered: