Most non-alphanumeric characters flagged as invalid in passwords and elsewhere

lifeboy · Dec 19, 2016, 2:10 PM

Since a recent upgrade (I'm on 2.3.2_1 now), in many places in the GUI virtually only a-z, A-Z, 0-9 seem to be allowed. Previously this was not the case. Now I can't even use an _ in an alias name for instance. Or an @ or $ in a password. While it is possible to use simpler strings, specifically in the instance of passwords, this significantly reduces the security of a password. Strangely enough, anything already stored in a config somewhere continues to be accepted, it's only new passwords and other entries that are not allowed to have even the simplest special characters.

I suppose this is a bug, since I cannot believe that this is a design decision or is it?

An example:
Setting a L2TP user's password which includes a @, results in this:
The password contains invalid characters.

What's going on here?

thanks

jimp · Dec 20, 2016, 3:37 PM

In the past, some areas were not properly validated against what the underlying systems could handle in all cases, so we have to tighten input validation here and there to stop invalid configurations from being made.

The L2TP password field has rejected @ since at least pfSense 2.0. That has not changed. "" is allowed in an alias name just fine, I just made one with "" a few moments ago as a test.

For other examples you'll have to be much more specific about what pages you are on and what specific inputs are rejected, and the exact error messages received.

GTAXL · Dec 20, 2016, 6:31 PM

That's funny involving the input validation because when I was going through the pfSense Setup wizard on the Configure LAN Interface, it said 10.0.0.1 was an Invalid IP Address, I hit OK and continued the wizard and it worked anyway and set the IP, but strange nonetheless.

jimp · Dec 20, 2016, 6:33 PM

You might have had a stray space before/after the address.

GTAXL · Dec 20, 2016, 6:37 PM

I don't think I did as I recorded it on video of me setting up my SG-1000. It popped that up when I clicked off the field after I finished typing it. It's no big deal, it set it to 10.0.0.1, was just interesting.

jimp · Dec 20, 2016, 7:18 PM

OK I was able to replicate that one and it's not behaving properly, I'll open a ticket.

EDIT: https://redmine.pfsense.org/issues/7025

GTAXL · Dec 20, 2016, 7:22 PM

Glad to assist in finding bugs, it still sets the LAN IP though, just a little annoyance pop-up. :)