diff --git a/CHANGELOG.md b/CHANGELOG.md index 8228e17..8f832ee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,16 +4,24 @@ All notable changes to this project will be documented in this file. Dates are d Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog). +#### [1.4.0](https://github.com/rdkcentral/webui/compare/1.3.0...1.4.0) + +- RDKB-61349: [SECVULN] Issuer and audience validation missing [`#65`](https://github.com/rdkcentral/webui/pull/65) +- XER10-1896: Adding regex to validate client hostname [`#76`](https://github.com/rdkcentral/webui/pull/76) +- Merge tag '1.3.0' into develop [`1547fb9`](https://github.com/rdkcentral/webui/commit/1547fb9941bcb1c50feb2cb83a36afa0c47eda8f) + #### [1.3.0](https://github.com/rdkcentral/webui/compare/1.2.1...1.3.0) +> 6 November 2025 + - RDKB-61788 : Input elements blocked in WebUI can be bypassed in HCM mode [`#40`](https://github.com/rdkcentral/webui/pull/40) - RDKB-61758: Removed MoCA option in GUI in bridge mode. [`#66`](https://github.com/rdkcentral/webui/pull/66) - RDKB-62246 : Harden WebUI Login - Exclude for sky partner [`#64`](https://github.com/rdkcentral/webui/pull/64) - RDKB-61875: 320MHz BW is not greyed out for ax mode in 6G [`#60`](https://github.com/rdkcentral/webui/pull/60) - RDKB-62077: Failed to add Parental Control Managed Service with Alway… [`#63`](https://github.com/rdkcentral/webui/pull/63) - RDKB-62246 : Harden WebUI Login - Exclude sky dev [`3640651`](https://github.com/rdkcentral/webui/commit/3640651507fcc6b59a0de629aac7a067151da825) +- Add changelog for release [`6c027d8`](https://github.com/rdkcentral/webui/commit/6c027d8fbc9eb1949c0a89ea498cb0613caa59aa) - RDKB-62077: Failed to add Parental Control Managed Service with AlwaysBlock enabled [`aeee8d9`](https://github.com/rdkcentral/webui/commit/aeee8d90f5d68201cd96a8fe9172a96f3845c02d) -- RDKB-61875: 320MHz BW is not grayed out for ax mode in 6G [`0295e22`](https://github.com/rdkcentral/webui/commit/0295e22210c281a7a7b453cd94e54f18f63d296e) #### [1.2.1](https://github.com/rdkcentral/webui/compare/1.2.0...1.2.1) diff --git a/source/Styles/xb3/jst/check.jst b/source/Styles/xb3/jst/check.jst index 07b3650..dd9bb47 100644 --- a/source/Styles/xb3/jst/check.jst +++ b/source/Styles/xb3/jst/check.jst @@ -360,7 +360,12 @@ else } if($flag==0){ // session_destroy(); + $partnersId = getStr("Device.DeviceInfo.X_RDKCENTRAL-COM_Syndication.PartnerId"); + if (strpos($partnersId, "sky-") !== false) { + sendError( ''); + } else { sendError( ''); + } } } else diff --git a/source/Styles/xb3/jst/connected_devices_computers.jst b/source/Styles/xb3/jst/connected_devices_computers.jst index 04247f9..f280790 100644 --- a/source/Styles/xb3/jst/connected_devices_computers.jst +++ b/source/Styles/xb3/jst/connected_devices_computers.jst @@ -204,10 +204,10 @@ if($locale=="it" || $locale=="en_GB"){ $onlinePrivateNetworkHost[$j.toString()]={}; $onlinePrivateNetworkHost[$j.toString()]['instanceID'] = $i + 1; array_push($onlinePrivateInstanceArr, $onlinePrivateNetworkHost[$j.toString()]['instanceID']); - if (($Host[$i]['HostName'] == "*") || (strlen($Host[$i]['HostName']) == 0)) - $onlinePrivateNetworkHost[$j.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']); - else - $onlinePrivateNetworkHost[$j.toString()]['HostName'] = $Host[$i.toString()]['HostName']; + if ((strlen($Host[$i]['HostName']) != 0) && isValidHostname($Host[$i]['HostName'])) + $onlinePrivateNetworkHost[$j.toString()]['HostName'] = $Host[$i.toString()]['HostName']; + else + $onlinePrivateNetworkHost[$j.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']); array_push($onlineHostNameArr, $onlinePrivateNetworkHost[$j.toString()]['HostName']); $onlinePrivateNetworkHost[$j.toString()]['IPv4Address'] = $Host[$i.toString()]['IPv4Address.1.IPAddress']; // IPV6 link-local address @@ -236,10 +236,10 @@ if($locale=="it" || $locale=="en_GB"){ $offlinePrivateNetworkHost[$k]={}; $offlinePrivateNetworkHost[$k.toString()]['instanceID'] = $i + 1; array_push($offlinePrivateInstanceArr, $offlinePrivateNetworkHost[$k.toString()]['instanceID']); - if (($Host[$i]['HostName'] == "*") || (strlen($Host[$i]['HostName']) == 0)) - $offlinePrivateNetworkHost[$k.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']); - else - $offlinePrivateNetworkHost[$k.toString()]['HostName'] = $Host[$i.toString()]['HostName']; + if ((strlen($Host[$i]['HostName']) != 0) && isValidHostname($Host[$i]['HostName'])) + $offlinePrivateNetworkHost[$k.toString()]['HostName'] = $Host[$i.toString()]['HostName']; + else + $offlinePrivateNetworkHost[$k.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']); array_push($offlineHostNameArr, $offlinePrivateNetworkHost[$k.toString()]['HostName']); $offlinePrivateNetworkHost[$k.toString()]['IPv4Address'] = $Host[$i.toString()]['IPv4Address.1.IPAddress']; // IPV6 link-local address diff --git a/source/Styles/xb3/jst/connection_status.jst b/source/Styles/xb3/jst/connection_status.jst index 7142591..2eba34b 100644 --- a/source/Styles/xb3/jst/connection_status.jst +++ b/source/Styles/xb3/jst/connection_status.jst @@ -419,8 +419,10 @@ if(($allowEthWan=="true") || ($autoWanEnable=="true")) { echo('Active Ethernet WAN'); }else if(strtolower($selectedOperationalMode)=="docsis"){ echo('Active Docsis WAN'); - }else{ + }else if($selectedOperationalMode == "auto"){ echo('Active Auto WAN'); + }else{ + echo('Unknown WAN'); } }else{ $wan_enable= getStr("Device.Ethernet.X_RDKCENTRAL-COM_WAN.Enabled"); diff --git a/source/Styles/xb3/jst/includes/jwt.jst b/source/Styles/xb3/jst/includes/jwt.jst index a0b2866..f23512c 100644 --- a/source/Styles/xb3/jst/includes/jwt.jst +++ b/source/Styles/xb3/jst/includes/jwt.jst @@ -9,6 +9,59 @@ $JWTdir = "/tmp/.jwt/"; $PUBKEYFILE = $JWTdir + "pubkey.cer"; $JWTkeyfile = $JWTdir + "keys"; $KeyURL = "https://login.microsoftonline.com/906aefe9-76a7-4f65-b82d-5ec20775d5aa/discovery/v2.0/keys"; +$expected_issuer = "https://login.microsoftonline.com/" + $tid + "/v2.0"; + +function GetExpectedAud() +{ + var file = "/etc/webui/aud.conf"; + + if (!file_exists(file)) { + LogStr("aud.conf missing"); + return ""; + } + + var lines = file_get_contents(file).split("\n"); + + var env = "prod"; + var expectedAud = ""; + var line, key, val, pos; + + for (var i = 0; i < lines.length; i++) { + line = lines[i]; + + pos = strpos(line, "="); + if (pos <= 0) continue; + + key = substr(line, 0, pos); + val = substr(line, pos + 1); + + if (key == "env") { + env = val; + break; + } + } + + var audKey = "aud_" + env; + for (var i = 0; i < lines.length; i++) { + line = lines[i]; + + pos = strpos(line, "="); + if (pos <= 0) continue; + + key = substr(line, 0, pos); + val = substr(line, pos + 1); + + if (key == audKey) { + expectedAud = val; + break; + } + } + if (expectedAud == "") { + LogStr("No AUD for " + audKey); + return ""; + } + return expectedAud; +} function VerifyToken($token) { @@ -26,16 +79,10 @@ function VerifyToken($token) if( $validtoken == true ) { $decodeddata = base64decode_url( $tokensegs[1] ); - $decodeddata = trim( $decodeddata, "{}" ); - $decodeddata = str_replace( '{', '', $decodeddata); - $decodeddata = str_replace( '}', '', $decodeddata); - $decodeddata = $decodeddata.split('"').join(''); - $pair = explode( ',', $decodeddata ); - for ( $k in $pair ) { - temp = $pair[$k]; - list = {}; - list = explode( ':', temp, 2 ); - $tokendata[list[0]] = list[1]; + $tokendata = json_decode($decodeddata, true); + if ($tokendata === null) { + LogStr("ERROR: Failed to decode JWT payload JSON"); + return false; } $validtoken &= VerifyTokenData( $tokendata ); } @@ -155,19 +202,32 @@ function VerifyTokenData($tkdata) $tokennbf = parseInt( $tkdata['nbf'] ); $tokenexp = parseInt( $tkdata['exp'] ); - if( ($curtime < $tokenexp) // current time must be < expiration - && ($curtime >= $tokennbf) // current time must be >= not before time - && ($curtime >= $tokeniat) ) // current time must be >= issued at time + $skew = 120; // 2-minute drift tolerance + + if( ($curtime < ($tokenexp + $skew)) + && ($curtime >= ($tokennbf - $skew)) + && ($curtime >= ($tokeniat - $skew)) ) { - if( $tkdata['tid'] == $tid ) + // Tenant validation + if( $tkdata['tid'] != $tid ) { - $retval = true; + LogStr(" : Error: Token fails Tenant ID "); + return false; } - else + // Issuer validation + if( !isset($tkdata['iss']) || $tkdata['iss'] != $expected_issuer ) + { + LogStr(" : Error: Token fails issuer validation "); + return false; + } + // Audience validation + $expected_aud = GetExpectedAud(); + if( !isset($tkdata['aud']) || $tkdata['aud'] != $expected_aud ) { - $errstr = " : Error: Token fails Tenant ID, tid=" + $tkdata['tid']; - LogStr( $errstr ); + LogStr(" : Error: Token fails audience validation"); + return false; } + $retval = true; } else { @@ -248,10 +308,9 @@ function LogBeginLoginAttempt() function LogTokenData($tkdata) { - $email = SHA256($tkdata['email']); - $strhex = asc2hex($email); - $str = " : OAUTH userId=" + $strhex; - $str = $str + " JWT expiration=" + $tkdata['exp'] ; + $objId = SHA256($tkdata['oid']); + $strhex = asc2hex($objId); + $str = " : OAUTH objectId=" + $objId + " JWT expiration=" + $tkdata['exp']; LogStr( $str ); } diff --git a/source/Styles/xb3/jst/includes/utility.jst b/source/Styles/xb3/jst/includes/utility.jst index e53c322..4a9c97a 100644 --- a/source/Styles/xb3/jst/includes/utility.jst +++ b/source/Styles/xb3/jst/includes/utility.jst @@ -1237,20 +1237,18 @@ function current_operationalMode() $selectedOperationalMode=getStr("Device.X_RDKCENTRAL-COM_EthernetWAN.SelectedOperationalMode"); } else{ - if(is_docsis_supported()) { - $docsisEnable =getStr("Device.X_RDK_WanManager.Interface.1.Selection.Enable"); - $ethernetEnable =getStr("Device.X_RDK_WanManager.Interface.2.Selection.Enable"); - } else { - $ethernetEnable = getStr("Device.X_RDK_WanManager.Interface.1.Selection.Enable"); - $docsisEnable = "false"; - } - - if(($ethernetEnable=="true") && ($docsisEnable=="false")){ - $selectedOperationalMode="Ethernet"; - }else if(($ethernetEnable=="false") && ($docsisEnable=="true")){ - $selectedOperationalMode="DOCSIS"; - }else if(($ethernetEnable=="true") && ($docsisEnable=="true")){ - $selectedOperationalMode="Auto"; + $selectedOperationalMode = getStr("Device.X_RDK_WanManager.InterfaceAvailableStatus"); + if ($selectedOperationalMode == "") { + $selectedOperationalMode = "unknown"; + } + else if ($selectedOperationalMode.includes("|")) { + //If more than a single WAN is configured + $selectedOperationalMode = "auto"; + } + else { + // Split the string by comma and extract the first part + $parts = $selectedOperationalMode.split(","); + $selectedOperationalMode = $parts[0]; } } return $selectedOperationalMode; @@ -1278,4 +1276,14 @@ function get_dhcp_client_interfaces() if($dhcp_client_interfaces.v6 == "") $dhcp_client_interfaces.v6 = "Device.DHCPv6.Client.1"; return $dhcp_client_interfaces; } + +/** +* Description: +* verifies the validity of client hostname +* return true if patten match otherwise false +*/ +function isValidHostname(hostname) { + var $hostnameRegex = /^[a-zA-Z0-9_-]{1,30}$/; + return $hostnameRegex.test(hostname); +} ?> diff --git a/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst b/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst index 4566719..70a1fd5 100644 --- a/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst +++ b/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst @@ -808,6 +808,13 @@ $(document).ready(function() { $("#operation_mode1").prop("disabled", true); } }).trigger("change"); + $("#wireless_mode3").change(function() { + if ("ax"==$("#wireless_mode3").val()) { + $("#channel_bandwidth7").prop("disabled", true); + } else if("ax,be"==$("#wireless_mode3").val() || "be"==$("#wireless_mode3").val()) { + $("#channel_bandwidth7").prop("disabled", false); + } + }).trigger("change"); $("#channel_number").change(function() { show_extch(document.getElementById("channel_number").value); }).trigger("change"); @@ -1869,7 +1876,9 @@ if($OperatingChannelBandwidth == "6GHz")
- 400ns + + 400ns + />800ns @@ -2121,7 +2130,9 @@ if($OperatingChannelBandwidth == "6GHz")
- 400ns + + 400ns + />800ns @@ -2314,7 +2325,6 @@ if($OperatingChannelBandwidth == "6GHz")
- 400ns />800ns