--- Bug #18 -- Patch: Stop Echoing Passwords in CLI Replies --- --- Root cause: --- The "password " command echoes the new admin password in the CLI --- reply: sprintf(reply, "password now: %s", _prefs->password). --- The "get guest.password" command returns the guest password in plaintext. --- Both replies traverse the radio link (encrypted, but available to the --- admin client in plaintext after decryption). --- --- Fix: --- 1. "password " reply: confirm change without echoing the password. --- 2. "get guest.password" reply: mask the password (show length + last 2 chars). --- --- This is a minimal hardening patch. A full fix would also require: --- - AES-CBC/CTR mode to prevent ciphertext pattern leaking (Bug #5) --- - Password hashing on flash (bcrypt/scrypt) instead of plaintext --- - Challenge-response login instead of sending password over radio --- These are protocol-level changes beyond the scope of this patch. --- --- Files changed: --- src/helpers/CommonCLI.cpp -- 2 changes --- a/src/helpers/CommonCLI.cpp +++ b/src/helpers/CommonCLI.cpp @@ -284,7 +284,7 @@ } else if (memcmp(command, "password ", 9) == 0) { // change admin password StrHelper::strncpy(_prefs->password, &command[9], sizeof(_prefs->password)); savePrefs(); - sprintf(reply, "password now: %s", _prefs->password); // echo back just to let admin know for sure!! + strcpy(reply, "OK - password changed"); } else if (memcmp(command, "clear stats", 11) == 0) { --- b/src/helpers/CommonCLI.cpp +++ b/src/helpers/CommonCLI.cpp @@ -754,7 +754,14 @@ } else if (memcmp(config, "guest.password", 14) == 0) { - sprintf(reply, "> %s", _prefs->guest_password); + // Show masked password: length + last 2 chars + int plen = strlen(_prefs->guest_password); + if (plen == 0) { + strcpy(reply, "> (not set)"); + } else { + int show = (plen > 2) ? 2 : plen; + sprintf(reply, "> (%d chars) ...%s", plen, &_prefs->guest_password[plen - show]); + } } else if (sender_timestamp == 0 && memcmp(config, "prv.key", 7) == 0) { // from serial command line only