From 07ff865eded0d4b0a2e475319a99fb2aa11d290c Mon Sep 17 00:00:00 2001 From: Ananth916 <74174916+Ananth916@users.noreply.github.com> Date: Mon, 17 Nov 2025 12:41:12 +0530 Subject: [PATCH 1/4] Update check.jst --- source/Styles/xb3/jst/check.jst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/source/Styles/xb3/jst/check.jst b/source/Styles/xb3/jst/check.jst index 07b3650..7cf5ccb 100644 --- a/source/Styles/xb3/jst/check.jst +++ b/source/Styles/xb3/jst/check.jst @@ -360,7 +360,12 @@ else } if($flag==0){ // session_destroy(); + $partnersId = getStr("Device.DeviceInfo.X_RDKCENTRAL-COM_Syndication.PartnerId"); + if (strpos($partnersId, "sky-") != false) { + sendError( ''); + } else { sendError( ''); + } } } else From 8ef5563e08dd8a183a5b08afc2f2263f3b01679b Mon Sep 17 00:00:00 2001 From: Ananth916 <74174916+Ananth916@users.noreply.github.com> Date: Tue, 2 Dec 2025 13:06:05 +0530 Subject: [PATCH 2/4] RDKB-62411:Alert message for Invalid password login is not coming as expected --- source/Styles/xb3/jst/check.jst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/Styles/xb3/jst/check.jst b/source/Styles/xb3/jst/check.jst index 7cf5ccb..dd9bb47 100644 --- a/source/Styles/xb3/jst/check.jst +++ b/source/Styles/xb3/jst/check.jst @@ -361,7 +361,7 @@ else if($flag==0){ // session_destroy(); $partnersId = getStr("Device.DeviceInfo.X_RDKCENTRAL-COM_Syndication.PartnerId"); - if (strpos($partnersId, "sky-") != false) { + if (strpos($partnersId, "sky-") !== false) { sendError( ''); } else { sendError( ''); From 8575c54ac1b6da0cbb56db9706d6b7edce4f8d42 Mon Sep 17 00:00:00 2001 From: Ananth916 <74174916+Ananth916@users.noreply.github.com> Date: Wed, 17 Dec 2025 10:42:00 +0530 Subject: [PATCH 3/4] Rebase with Develop (#85) * XER10-1896: Adding regex to validate client hostname (#76) * XER10-1896: Adding regex to validate client hostname XER10-1896: Adding regex to validate client hostname Reason for change: GUI throws 500 Internal Server Error or logs out from UI when clicking on Connected Devices Test Procedure: Build and verify in GUI page Risks: Low Priority: P2 * XER10-1896: Adding regex to validate client hostname XER10-1896: Adding regex to validate client hostname Reason for change: GUI throws 500 Internal Server Error or logs out from UI when clicking on Connected Devices Test Procedure: Build and verify in GUI page Risks: Low Priority: P2 * XER10-1896: Adding regex to validate client hostname XER10-1896: Adding regex to validate client hostname Reason for change: GUI throws 500 Internal Server Error or logs out from UI when clicking on Connected Devices Test Procedure: Build and verify in GUI page Risks: Low Priority: P2 * RDKB-61349: [SECVULN] Issuer and audience validation missing (#65) * RDKB-61349: [SECVULN] Issuer and audience validation missing Reason for change: Added validation check * RDKB-61349: Update jwt.jst * RDKB-61349: Update jwt.jst Reason for change: Addressed iss and aud validation logic * RDKB-61349: Update jwt.jst * RDKB-61349 : Update jwt.jst * RDKB-61349: Update jwt.jst * RDKB-61349: Update jwt.jst * RDKB-61349: Update jwt.jst * Add changelog for release 1.4.0 * RDKB-62532: Removing 400ns Guard Interval for 11ax/be for WiFi standards (#77) RDKB-62532: Removing 400ns Guard Interval for 11ax/be for WiFi standards Reason for change: 400ns Guard Interval is not applicable for 11ax/be Test Procedure: Build and verify in MSO page Risks: Low Priority: P1 Co-authored-by: anoopchelakkode <65686868+anoopchelakkode@users.noreply.github.com> * RDKBDEV-3296: Xfinity Connection status page returns error 404 Not Found (#49) Reason for change: webui connection status page returns error Test Procedure: login to webui and open connection status page Risks: None Signed-off-by: sai satish kotapati Co-authored-by: Sukanya673 <60687655+Sukanya673@users.noreply.github.com> Co-authored-by: anoopchelakkode <65686868+anoopchelakkode@users.noreply.github.com> * RDKB-62740: Disable 320MHz for 11ax mode ion 6GHz (#83) RDKB-62740: Disable 320MHz for 11ax mode ion 6GHz Reason for change: 320MHz not supported for 11ax mode in 6GHz Test Procedure: Build and verify in MSO page Risks: Low Priority: P1 --------- Signed-off-by: sai satish kotapati Co-authored-by: roushan-tel Co-authored-by: MonekaLakshmi <101797473+MonekaLakshmi@users.noreply.github.com> Co-authored-by: Nithishkumar-T <109725053+Nithishkumar-T@users.noreply.github.com> Co-authored-by: anoopchelakkode <65686868+anoopchelakkode@users.noreply.github.com> Co-authored-by: satish-kotapati Co-authored-by: Sukanya673 <60687655+Sukanya673@users.noreply.github.com> --- CHANGELOG.md | 10 +- .../xb3/jst/connected_devices_computers.jst | 16 +-- source/Styles/xb3/jst/connection_status.jst | 4 +- source/Styles/xb3/jst/includes/jwt.jst | 103 ++++++++++++++---- source/Styles/xb3/jst/includes/utility.jst | 36 +++--- ...wireless_network_configuration_onewifi.jst | 16 ++- 6 files changed, 136 insertions(+), 49 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8228e17..8f832ee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,16 +4,24 @@ All notable changes to this project will be documented in this file. Dates are d Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog). +#### [1.4.0](https://github.com/rdkcentral/webui/compare/1.3.0...1.4.0) + +- RDKB-61349: [SECVULN] Issuer and audience validation missing [`#65`](https://github.com/rdkcentral/webui/pull/65) +- XER10-1896: Adding regex to validate client hostname [`#76`](https://github.com/rdkcentral/webui/pull/76) +- Merge tag '1.3.0' into develop [`1547fb9`](https://github.com/rdkcentral/webui/commit/1547fb9941bcb1c50feb2cb83a36afa0c47eda8f) + #### [1.3.0](https://github.com/rdkcentral/webui/compare/1.2.1...1.3.0) +> 6 November 2025 + - RDKB-61788 : Input elements blocked in WebUI can be bypassed in HCM mode [`#40`](https://github.com/rdkcentral/webui/pull/40) - RDKB-61758: Removed MoCA option in GUI in bridge mode. [`#66`](https://github.com/rdkcentral/webui/pull/66) - RDKB-62246 : Harden WebUI Login - Exclude for sky partner [`#64`](https://github.com/rdkcentral/webui/pull/64) - RDKB-61875: 320MHz BW is not greyed out for ax mode in 6G [`#60`](https://github.com/rdkcentral/webui/pull/60) - RDKB-62077: Failed to add Parental Control Managed Service with Alway… [`#63`](https://github.com/rdkcentral/webui/pull/63) - RDKB-62246 : Harden WebUI Login - Exclude sky dev [`3640651`](https://github.com/rdkcentral/webui/commit/3640651507fcc6b59a0de629aac7a067151da825) +- Add changelog for release [`6c027d8`](https://github.com/rdkcentral/webui/commit/6c027d8fbc9eb1949c0a89ea498cb0613caa59aa) - RDKB-62077: Failed to add Parental Control Managed Service with AlwaysBlock enabled [`aeee8d9`](https://github.com/rdkcentral/webui/commit/aeee8d90f5d68201cd96a8fe9172a96f3845c02d) -- RDKB-61875: 320MHz BW is not grayed out for ax mode in 6G [`0295e22`](https://github.com/rdkcentral/webui/commit/0295e22210c281a7a7b453cd94e54f18f63d296e) #### [1.2.1](https://github.com/rdkcentral/webui/compare/1.2.0...1.2.1) diff --git a/source/Styles/xb3/jst/connected_devices_computers.jst b/source/Styles/xb3/jst/connected_devices_computers.jst index 04247f9..f280790 100644 --- a/source/Styles/xb3/jst/connected_devices_computers.jst +++ b/source/Styles/xb3/jst/connected_devices_computers.jst @@ -204,10 +204,10 @@ if($locale=="it" || $locale=="en_GB"){ $onlinePrivateNetworkHost[$j.toString()]={}; $onlinePrivateNetworkHost[$j.toString()]['instanceID'] = $i + 1; array_push($onlinePrivateInstanceArr, $onlinePrivateNetworkHost[$j.toString()]['instanceID']); - if (($Host[$i]['HostName'] == "*") || (strlen($Host[$i]['HostName']) == 0)) - $onlinePrivateNetworkHost[$j.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']); - else - $onlinePrivateNetworkHost[$j.toString()]['HostName'] = $Host[$i.toString()]['HostName']; + if ((strlen($Host[$i]['HostName']) != 0) && isValidHostname($Host[$i]['HostName'])) + $onlinePrivateNetworkHost[$j.toString()]['HostName'] = $Host[$i.toString()]['HostName']; + else + $onlinePrivateNetworkHost[$j.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']); array_push($onlineHostNameArr, $onlinePrivateNetworkHost[$j.toString()]['HostName']); $onlinePrivateNetworkHost[$j.toString()]['IPv4Address'] = $Host[$i.toString()]['IPv4Address.1.IPAddress']; // IPV6 link-local address @@ -236,10 +236,10 @@ if($locale=="it" || $locale=="en_GB"){ $offlinePrivateNetworkHost[$k]={}; $offlinePrivateNetworkHost[$k.toString()]['instanceID'] = $i + 1; array_push($offlinePrivateInstanceArr, $offlinePrivateNetworkHost[$k.toString()]['instanceID']); - if (($Host[$i]['HostName'] == "*") || (strlen($Host[$i]['HostName']) == 0)) - $offlinePrivateNetworkHost[$k.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']); - else - $offlinePrivateNetworkHost[$k.toString()]['HostName'] = $Host[$i.toString()]['HostName']; + if ((strlen($Host[$i]['HostName']) != 0) && isValidHostname($Host[$i]['HostName'])) + $offlinePrivateNetworkHost[$k.toString()]['HostName'] = $Host[$i.toString()]['HostName']; + else + $offlinePrivateNetworkHost[$k.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']); array_push($offlineHostNameArr, $offlinePrivateNetworkHost[$k.toString()]['HostName']); $offlinePrivateNetworkHost[$k.toString()]['IPv4Address'] = $Host[$i.toString()]['IPv4Address.1.IPAddress']; // IPV6 link-local address diff --git a/source/Styles/xb3/jst/connection_status.jst b/source/Styles/xb3/jst/connection_status.jst index 7142591..2eba34b 100644 --- a/source/Styles/xb3/jst/connection_status.jst +++ b/source/Styles/xb3/jst/connection_status.jst @@ -419,8 +419,10 @@ if(($allowEthWan=="true") || ($autoWanEnable=="true")) { echo('Active Ethernet WAN'); }else if(strtolower($selectedOperationalMode)=="docsis"){ echo('Active Docsis WAN'); - }else{ + }else if($selectedOperationalMode == "auto"){ echo('Active Auto WAN'); + }else{ + echo('Unknown WAN'); } }else{ $wan_enable= getStr("Device.Ethernet.X_RDKCENTRAL-COM_WAN.Enabled"); diff --git a/source/Styles/xb3/jst/includes/jwt.jst b/source/Styles/xb3/jst/includes/jwt.jst index a0b2866..f23512c 100644 --- a/source/Styles/xb3/jst/includes/jwt.jst +++ b/source/Styles/xb3/jst/includes/jwt.jst @@ -9,6 +9,59 @@ $JWTdir = "/tmp/.jwt/"; $PUBKEYFILE = $JWTdir + "pubkey.cer"; $JWTkeyfile = $JWTdir + "keys"; $KeyURL = "https://login.microsoftonline.com/906aefe9-76a7-4f65-b82d-5ec20775d5aa/discovery/v2.0/keys"; +$expected_issuer = "https://login.microsoftonline.com/" + $tid + "/v2.0"; + +function GetExpectedAud() +{ + var file = "/etc/webui/aud.conf"; + + if (!file_exists(file)) { + LogStr("aud.conf missing"); + return ""; + } + + var lines = file_get_contents(file).split("\n"); + + var env = "prod"; + var expectedAud = ""; + var line, key, val, pos; + + for (var i = 0; i < lines.length; i++) { + line = lines[i]; + + pos = strpos(line, "="); + if (pos <= 0) continue; + + key = substr(line, 0, pos); + val = substr(line, pos + 1); + + if (key == "env") { + env = val; + break; + } + } + + var audKey = "aud_" + env; + for (var i = 0; i < lines.length; i++) { + line = lines[i]; + + pos = strpos(line, "="); + if (pos <= 0) continue; + + key = substr(line, 0, pos); + val = substr(line, pos + 1); + + if (key == audKey) { + expectedAud = val; + break; + } + } + if (expectedAud == "") { + LogStr("No AUD for " + audKey); + return ""; + } + return expectedAud; +} function VerifyToken($token) { @@ -26,16 +79,10 @@ function VerifyToken($token) if( $validtoken == true ) { $decodeddata = base64decode_url( $tokensegs[1] ); - $decodeddata = trim( $decodeddata, "{}" ); - $decodeddata = str_replace( '{', '', $decodeddata); - $decodeddata = str_replace( '}', '', $decodeddata); - $decodeddata = $decodeddata.split('"').join(''); - $pair = explode( ',', $decodeddata ); - for ( $k in $pair ) { - temp = $pair[$k]; - list = {}; - list = explode( ':', temp, 2 ); - $tokendata[list[0]] = list[1]; + $tokendata = json_decode($decodeddata, true); + if ($tokendata === null) { + LogStr("ERROR: Failed to decode JWT payload JSON"); + return false; } $validtoken &= VerifyTokenData( $tokendata ); } @@ -155,19 +202,32 @@ function VerifyTokenData($tkdata) $tokennbf = parseInt( $tkdata['nbf'] ); $tokenexp = parseInt( $tkdata['exp'] ); - if( ($curtime < $tokenexp) // current time must be < expiration - && ($curtime >= $tokennbf) // current time must be >= not before time - && ($curtime >= $tokeniat) ) // current time must be >= issued at time + $skew = 120; // 2-minute drift tolerance + + if( ($curtime < ($tokenexp + $skew)) + && ($curtime >= ($tokennbf - $skew)) + && ($curtime >= ($tokeniat - $skew)) ) { - if( $tkdata['tid'] == $tid ) + // Tenant validation + if( $tkdata['tid'] != $tid ) { - $retval = true; + LogStr(" : Error: Token fails Tenant ID "); + return false; } - else + // Issuer validation + if( !isset($tkdata['iss']) || $tkdata['iss'] != $expected_issuer ) + { + LogStr(" : Error: Token fails issuer validation "); + return false; + } + // Audience validation + $expected_aud = GetExpectedAud(); + if( !isset($tkdata['aud']) || $tkdata['aud'] != $expected_aud ) { - $errstr = " : Error: Token fails Tenant ID, tid=" + $tkdata['tid']; - LogStr( $errstr ); + LogStr(" : Error: Token fails audience validation"); + return false; } + $retval = true; } else { @@ -248,10 +308,9 @@ function LogBeginLoginAttempt() function LogTokenData($tkdata) { - $email = SHA256($tkdata['email']); - $strhex = asc2hex($email); - $str = " : OAUTH userId=" + $strhex; - $str = $str + " JWT expiration=" + $tkdata['exp'] ; + $objId = SHA256($tkdata['oid']); + $strhex = asc2hex($objId); + $str = " : OAUTH objectId=" + $objId + " JWT expiration=" + $tkdata['exp']; LogStr( $str ); } diff --git a/source/Styles/xb3/jst/includes/utility.jst b/source/Styles/xb3/jst/includes/utility.jst index e53c322..4a9c97a 100644 --- a/source/Styles/xb3/jst/includes/utility.jst +++ b/source/Styles/xb3/jst/includes/utility.jst @@ -1237,20 +1237,18 @@ function current_operationalMode() $selectedOperationalMode=getStr("Device.X_RDKCENTRAL-COM_EthernetWAN.SelectedOperationalMode"); } else{ - if(is_docsis_supported()) { - $docsisEnable =getStr("Device.X_RDK_WanManager.Interface.1.Selection.Enable"); - $ethernetEnable =getStr("Device.X_RDK_WanManager.Interface.2.Selection.Enable"); - } else { - $ethernetEnable = getStr("Device.X_RDK_WanManager.Interface.1.Selection.Enable"); - $docsisEnable = "false"; - } - - if(($ethernetEnable=="true") && ($docsisEnable=="false")){ - $selectedOperationalMode="Ethernet"; - }else if(($ethernetEnable=="false") && ($docsisEnable=="true")){ - $selectedOperationalMode="DOCSIS"; - }else if(($ethernetEnable=="true") && ($docsisEnable=="true")){ - $selectedOperationalMode="Auto"; + $selectedOperationalMode = getStr("Device.X_RDK_WanManager.InterfaceAvailableStatus"); + if ($selectedOperationalMode == "") { + $selectedOperationalMode = "unknown"; + } + else if ($selectedOperationalMode.includes("|")) { + //If more than a single WAN is configured + $selectedOperationalMode = "auto"; + } + else { + // Split the string by comma and extract the first part + $parts = $selectedOperationalMode.split(","); + $selectedOperationalMode = $parts[0]; } } return $selectedOperationalMode; @@ -1278,4 +1276,14 @@ function get_dhcp_client_interfaces() if($dhcp_client_interfaces.v6 == "") $dhcp_client_interfaces.v6 = "Device.DHCPv6.Client.1"; return $dhcp_client_interfaces; } + +/** +* Description: +* verifies the validity of client hostname +* return true if patten match otherwise false +*/ +function isValidHostname(hostname) { + var $hostnameRegex = /^[a-zA-Z0-9_-]{1,30}$/; + return $hostnameRegex.test(hostname); +} ?> diff --git a/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst b/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst index 4566719..70a1fd5 100644 --- a/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst +++ b/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst @@ -808,6 +808,13 @@ $(document).ready(function() { $("#operation_mode1").prop("disabled", true); } }).trigger("change"); + $("#wireless_mode3").change(function() { + if ("ax"==$("#wireless_mode3").val()) { + $("#channel_bandwidth7").prop("disabled", true); + } else if("ax,be"==$("#wireless_mode3").val() || "be"==$("#wireless_mode3").val()) { + $("#channel_bandwidth7").prop("disabled", false); + } + }).trigger("change"); $("#channel_number").change(function() { show_extch(document.getElementById("channel_number").value); }).trigger("change"); @@ -1869,7 +1876,9 @@ if($OperatingChannelBandwidth == "6GHz")
- 400ns + + 400ns + />800ns @@ -2121,7 +2130,9 @@ if($OperatingChannelBandwidth == "6GHz")
- 400ns + + 400ns + />800ns @@ -2314,7 +2325,6 @@ if($OperatingChannelBandwidth == "6GHz")
- 400ns />800ns From 667da3b20d094cec829cfc462b5435d53f2a7b80 Mon Sep 17 00:00:00 2001 From: Ananth916 <74174916+Ananth916@users.noreply.github.com> Date: Wed, 17 Dec 2025 10:42:48 +0530 Subject: [PATCH 4/4] Rebase with develop (#86) * XER10-1896: Adding regex to validate client hostname (#76) * XER10-1896: Adding regex to validate client hostname XER10-1896: Adding regex to validate client hostname Reason for change: GUI throws 500 Internal Server Error or logs out from UI when clicking on Connected Devices Test Procedure: Build and verify in GUI page Risks: Low Priority: P2 * XER10-1896: Adding regex to validate client hostname XER10-1896: Adding regex to validate client hostname Reason for change: GUI throws 500 Internal Server Error or logs out from UI when clicking on Connected Devices Test Procedure: Build and verify in GUI page Risks: Low Priority: P2 * XER10-1896: Adding regex to validate client hostname XER10-1896: Adding regex to validate client hostname Reason for change: GUI throws 500 Internal Server Error or logs out from UI when clicking on Connected Devices Test Procedure: Build and verify in GUI page Risks: Low Priority: P2 * RDKB-61349: [SECVULN] Issuer and audience validation missing (#65) * RDKB-61349: [SECVULN] Issuer and audience validation missing Reason for change: Added validation check * RDKB-61349: Update jwt.jst * RDKB-61349: Update jwt.jst Reason for change: Addressed iss and aud validation logic * RDKB-61349: Update jwt.jst * RDKB-61349 : Update jwt.jst * RDKB-61349: Update jwt.jst * RDKB-61349: Update jwt.jst * RDKB-61349: Update jwt.jst * Add changelog for release 1.4.0 * RDKB-62532: Removing 400ns Guard Interval for 11ax/be for WiFi standards (#77) RDKB-62532: Removing 400ns Guard Interval for 11ax/be for WiFi standards Reason for change: 400ns Guard Interval is not applicable for 11ax/be Test Procedure: Build and verify in MSO page Risks: Low Priority: P1 Co-authored-by: anoopchelakkode <65686868+anoopchelakkode@users.noreply.github.com> * RDKBDEV-3296: Xfinity Connection status page returns error 404 Not Found (#49) Reason for change: webui connection status page returns error Test Procedure: login to webui and open connection status page Risks: None Signed-off-by: sai satish kotapati Co-authored-by: Sukanya673 <60687655+Sukanya673@users.noreply.github.com> Co-authored-by: anoopchelakkode <65686868+anoopchelakkode@users.noreply.github.com> * RDKB-62740: Disable 320MHz for 11ax mode ion 6GHz (#83) RDKB-62740: Disable 320MHz for 11ax mode ion 6GHz Reason for change: 320MHz not supported for 11ax mode in 6GHz Test Procedure: Build and verify in MSO page Risks: Low Priority: P1 --------- Signed-off-by: sai satish kotapati Co-authored-by: roushan-tel Co-authored-by: MonekaLakshmi <101797473+MonekaLakshmi@users.noreply.github.com> Co-authored-by: Nithishkumar-T <109725053+Nithishkumar-T@users.noreply.github.com> Co-authored-by: anoopchelakkode <65686868+anoopchelakkode@users.noreply.github.com> Co-authored-by: satish-kotapati Co-authored-by: Sukanya673 <60687655+Sukanya673@users.noreply.github.com>