OpenWISP-Manager
OpenWISP-Manager copied to clipboard
openwisp
Cannot set a wpa password with special chars
A user cannot set a WPA password that contains special chars. The problem is in /app/models/vim vap_template.rb in this regex
validates_format_of :key, :with => /\A[\s\w\d._]+\Z/i, :if => :key_needed?
according to the standard it can allow special chars. Isn't it?
@dguerri @nemesisdesign
I'm going to label this issue as an "enhancement" and not a "bug" since I think this is a missing feature rather than an bug. Moreover it deserves some discussion.
A WPA-compliant regular expression for PSK validation could be the following
\A[\x20-\x7e]+\Z
But... I'd be very cautious and "conservative" about what OWM accepts as user input for this field as our system and OpenWRT require some character to be escaped in order to be used as WPA-PSK.
First of all the "key" field is used with 3 different meanings with different formats and different length requirements:
- WPA PSK
- 802.1x RADIUS secret (if the RADIUS address field has a value), this could be composed by any byte value (from 0x00 to 0xff) and could be of any length (unless I am mistaken)... However this is usualy implementation dependent.
- WEP key (if WEP security is used) - For this, the key field should accept ANY exadecimal digit (length should be also validated as it can be only 5 bytes or 13 bytes)
Second let's take for instance the double-quote char ("): this must be escaped by OWM because it would be "printed" as-is in the wifi UCI configuration file for OpenWRT and it will almost certainly "close" the previous double-quote... Another example could be the dollar ($) sign or the back-tick char: these could be very dangerous.
What do you (@idemarinis @mtylty @nemesisdesign @riblo @spawnazzo) think about this? What OWM should accept for the :key field? (and how it should process it)
I've just ran into this: http://www.ruby-doc.org/core-1.9.3/String.html#method-i-dump
Produces a version of str with all nonprinting characters replaced by \nnn notation and all special characters escaped.
It could be useful.
What kind of characters we want to accept? Let's choose the most useful one and include them in the regexp. What do you think? @spawnazzo
I suppose that the form may be conditional if we use a wpa2 password we must accept all chars, if we select a radius server we have to perform a different check @dguerri ?
@spawnazzo yes, you're right. But I've just realized that we have some complications here.
As stated in the official OpenWRT documentation:
- for WEP The length of a 64bit WEP key must be exact 5 characters The length of a 128bit WEP key must be exact 13 characters Allowed characters are letters (upper and lower case) and numbers
- for WPA/WPA2 PSK - despite the standards For the key only letters (upper and lower case) and numbers are allowed. The length must be between 8 and 63 characters. If the key length is 64 characters, it is treated as hex encoded.
- for RADIUS secret It could be composed by any byte value (from 0x00 to 0xff) but for the sake of security, my proposal is to leave it unchanged.