Re: [OpenWrt-Tickets] [OpenWrt] #20096: Wireless configuration may update the WiFi key to router's login password

Thu, 16 Jul 2015 17:08:22 -0700 

#20096: Wireless configuration may update the WiFi key to router's login 
password
-------------------------+-------------------------------------------------
  Reporter:  gvalkov     |      Owner:  developers
      Type:  defect      |     Status:  new
  Priority:  high        |  Milestone:  Chaos Calmer (trunk)
 Component:  packages    |    Version:  Trunk
Resolution:              |   Keywords:  saved login password LuCI wireless
                         |  key administration
-------------------------+-------------------------------------------------

Comment (by anonymous):

 according to
 https://developer.mozilla.org/en-
 US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

 and
 https://developer.mozilla.org/en/docs/Web/HTML/Element/form#Google_Chrome_notes

 BOTH the {{{ <form> }}} and the {{{ <input> }}} tags should have the
 attribute autocomplete="off"

 and they should look somewhat similar to this:
 form:
 {{{
 <form autocomplete="off" method="post" name="cbi"
 action="/cgi-
 bin/luci/;stok=____TOKEN_HERE___/admin/network/wireless/radio0.network3"
 enctype="multipart/form-data" onreset="return cbi_validate_reset(this)"
 onsubmit="return cbi_validate_form(this, 'Some fields are invalid, cannot
 save values!')">
 }}}


 Also, Chrome has a habit of sometimes ignoring the autocomplete attribute
 so just to make sure that it doesn't mess with the form then create a few
 dummy fields before all the other fields and make them hidden with
 "display:none".

 {{{
 (note: the dummy ones do not have the autocomplete attribute set.
 Also, keep the comment about the reason for using the hidden inputs
 in the html source too.)

 <!-- these are needed for Chrome autofill messing the form -->
 <input style="display:none" type="password" name="dummypassword">
 <input style="display:none" type="text" name="dummytext">


 (real input fields)
 <input autocomplete="off" class="cbi-input-password" type="password"
 name="luci_password"  />

 <input autocomplete="off" type="password" class="cbi-input-password"
 onchange="cbi_d_update(this.id)" name="cbid.wireless.cfg073579._wpa_key"
 id="cbid.wireless.cfg073579._wpa_key" value="********" />
 }}}

--
Ticket URL: <https://dev.openwrt.org/ticket/20096#comment:2>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets

Reply via email to