From 01c3a7bb42bd691b030b919f54656ff94d8e28ed Mon Sep 17 00:00:00 2001 From: roushan-tel Date: Thu, 4 Dec 2025 00:01:10 +0530 Subject: [PATCH 1/6] XER10-1896: Adding regex to validate client hostname (#76) * XER10-1896: Adding regex to validate client hostname XER10-1896: Adding regex to validate client hostname Reason for change: GUI throws 500 Internal Server Error or logs out from UI when clicking on Connected Devices Test Procedure: Build and verify in GUI page Risks: Low Priority: P2 * XER10-1896: Adding regex to validate client hostname XER10-1896: Adding regex to validate client hostname Reason for change: GUI throws 500 Internal Server Error or logs out from UI when clicking on Connected Devices Test Procedure: Build and verify in GUI page Risks: Low Priority: P2 * XER10-1896: Adding regex to validate client hostname XER10-1896: Adding regex to validate client hostname Reason for change: GUI throws 500 Internal Server Error or logs out from UI when clicking on Connected Devices Test Procedure: Build and verify in GUI page Risks: Low Priority: P2 --- .../xb3/jst/connected_devices_computers.jst | 16 ++++++++-------- source/Styles/xb3/jst/includes/utility.jst | 10 ++++++++++ 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/source/Styles/xb3/jst/connected_devices_computers.jst b/source/Styles/xb3/jst/connected_devices_computers.jst index 04247f9..f280790 100644 --- a/source/Styles/xb3/jst/connected_devices_computers.jst +++ b/source/Styles/xb3/jst/connected_devices_computers.jst @@ -204,10 +204,10 @@ if($locale=="it" || $locale=="en_GB"){ $onlinePrivateNetworkHost[$j.toString()]={}; $onlinePrivateNetworkHost[$j.toString()]['instanceID'] = $i + 1; array_push($onlinePrivateInstanceArr, $onlinePrivateNetworkHost[$j.toString()]['instanceID']); - if (($Host[$i]['HostName'] == "*") || (strlen($Host[$i]['HostName']) == 0)) - $onlinePrivateNetworkHost[$j.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']); - else - $onlinePrivateNetworkHost[$j.toString()]['HostName'] = $Host[$i.toString()]['HostName']; + if ((strlen($Host[$i]['HostName']) != 0) && isValidHostname($Host[$i]['HostName'])) + $onlinePrivateNetworkHost[$j.toString()]['HostName'] = $Host[$i.toString()]['HostName']; + else + $onlinePrivateNetworkHost[$j.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']); array_push($onlineHostNameArr, $onlinePrivateNetworkHost[$j.toString()]['HostName']); $onlinePrivateNetworkHost[$j.toString()]['IPv4Address'] = $Host[$i.toString()]['IPv4Address.1.IPAddress']; // IPV6 link-local address @@ -236,10 +236,10 @@ if($locale=="it" || $locale=="en_GB"){ $offlinePrivateNetworkHost[$k]={}; $offlinePrivateNetworkHost[$k.toString()]['instanceID'] = $i + 1; array_push($offlinePrivateInstanceArr, $offlinePrivateNetworkHost[$k.toString()]['instanceID']); - if (($Host[$i]['HostName'] == "*") || (strlen($Host[$i]['HostName']) == 0)) - $offlinePrivateNetworkHost[$k.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']); - else - $offlinePrivateNetworkHost[$k.toString()]['HostName'] = $Host[$i.toString()]['HostName']; + if ((strlen($Host[$i]['HostName']) != 0) && isValidHostname($Host[$i]['HostName'])) + $offlinePrivateNetworkHost[$k.toString()]['HostName'] = $Host[$i.toString()]['HostName']; + else + $offlinePrivateNetworkHost[$k.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']); array_push($offlineHostNameArr, $offlinePrivateNetworkHost[$k.toString()]['HostName']); $offlinePrivateNetworkHost[$k.toString()]['IPv4Address'] = $Host[$i.toString()]['IPv4Address.1.IPAddress']; // IPV6 link-local address diff --git a/source/Styles/xb3/jst/includes/utility.jst b/source/Styles/xb3/jst/includes/utility.jst index e53c322..ac6dc74 100644 --- a/source/Styles/xb3/jst/includes/utility.jst +++ b/source/Styles/xb3/jst/includes/utility.jst @@ -1278,4 +1278,14 @@ function get_dhcp_client_interfaces() if($dhcp_client_interfaces.v6 == "") $dhcp_client_interfaces.v6 = "Device.DHCPv6.Client.1"; return $dhcp_client_interfaces; } + +/** +* Description: +* verifies the validity of client hostname +* return true if patten match otherwise false +*/ +function isValidHostname(hostname) { + var $hostnameRegex = /^[a-zA-Z0-9_-]{1,30}$/; + return $hostnameRegex.test(hostname); +} ?> From b522923c18fb68772da397561511f2b54da6a7aa Mon Sep 17 00:00:00 2001 From: MonekaLakshmi <101797473+MonekaLakshmi@users.noreply.github.com> Date: Thu, 4 Dec 2025 11:18:51 +0530 Subject: [PATCH 2/6] RDKB-61349: [SECVULN] Issuer and audience validation missing (#65) * RDKB-61349: [SECVULN] Issuer and audience validation missing Reason for change: Added validation check * RDKB-61349: Update jwt.jst * RDKB-61349: Update jwt.jst Reason for change: Addressed iss and aud validation logic * RDKB-61349: Update jwt.jst * RDKB-61349 : Update jwt.jst * RDKB-61349: Update jwt.jst * RDKB-61349: Update jwt.jst * RDKB-61349: Update jwt.jst --- source/Styles/xb3/jst/includes/jwt.jst | 103 +++++++++++++++++++------ 1 file changed, 81 insertions(+), 22 deletions(-) diff --git a/source/Styles/xb3/jst/includes/jwt.jst b/source/Styles/xb3/jst/includes/jwt.jst index a0b2866..f23512c 100644 --- a/source/Styles/xb3/jst/includes/jwt.jst +++ b/source/Styles/xb3/jst/includes/jwt.jst @@ -9,6 +9,59 @@ $JWTdir = "/tmp/.jwt/"; $PUBKEYFILE = $JWTdir + "pubkey.cer"; $JWTkeyfile = $JWTdir + "keys"; $KeyURL = "https://login.microsoftonline.com/906aefe9-76a7-4f65-b82d-5ec20775d5aa/discovery/v2.0/keys"; +$expected_issuer = "https://login.microsoftonline.com/" + $tid + "/v2.0"; + +function GetExpectedAud() +{ + var file = "/etc/webui/aud.conf"; + + if (!file_exists(file)) { + LogStr("aud.conf missing"); + return ""; + } + + var lines = file_get_contents(file).split("\n"); + + var env = "prod"; + var expectedAud = ""; + var line, key, val, pos; + + for (var i = 0; i < lines.length; i++) { + line = lines[i]; + + pos = strpos(line, "="); + if (pos <= 0) continue; + + key = substr(line, 0, pos); + val = substr(line, pos + 1); + + if (key == "env") { + env = val; + break; + } + } + + var audKey = "aud_" + env; + for (var i = 0; i < lines.length; i++) { + line = lines[i]; + + pos = strpos(line, "="); + if (pos <= 0) continue; + + key = substr(line, 0, pos); + val = substr(line, pos + 1); + + if (key == audKey) { + expectedAud = val; + break; + } + } + if (expectedAud == "") { + LogStr("No AUD for " + audKey); + return ""; + } + return expectedAud; +} function VerifyToken($token) { @@ -26,16 +79,10 @@ function VerifyToken($token) if( $validtoken == true ) { $decodeddata = base64decode_url( $tokensegs[1] ); - $decodeddata = trim( $decodeddata, "{}" ); - $decodeddata = str_replace( '{', '', $decodeddata); - $decodeddata = str_replace( '}', '', $decodeddata); - $decodeddata = $decodeddata.split('"').join(''); - $pair = explode( ',', $decodeddata ); - for ( $k in $pair ) { - temp = $pair[$k]; - list = {}; - list = explode( ':', temp, 2 ); - $tokendata[list[0]] = list[1]; + $tokendata = json_decode($decodeddata, true); + if ($tokendata === null) { + LogStr("ERROR: Failed to decode JWT payload JSON"); + return false; } $validtoken &= VerifyTokenData( $tokendata ); } @@ -155,19 +202,32 @@ function VerifyTokenData($tkdata) $tokennbf = parseInt( $tkdata['nbf'] ); $tokenexp = parseInt( $tkdata['exp'] ); - if( ($curtime < $tokenexp) // current time must be < expiration - && ($curtime >= $tokennbf) // current time must be >= not before time - && ($curtime >= $tokeniat) ) // current time must be >= issued at time + $skew = 120; // 2-minute drift tolerance + + if( ($curtime < ($tokenexp + $skew)) + && ($curtime >= ($tokennbf - $skew)) + && ($curtime >= ($tokeniat - $skew)) ) { - if( $tkdata['tid'] == $tid ) + // Tenant validation + if( $tkdata['tid'] != $tid ) { - $retval = true; + LogStr(" : Error: Token fails Tenant ID "); + return false; } - else + // Issuer validation + if( !isset($tkdata['iss']) || $tkdata['iss'] != $expected_issuer ) + { + LogStr(" : Error: Token fails issuer validation "); + return false; + } + // Audience validation + $expected_aud = GetExpectedAud(); + if( !isset($tkdata['aud']) || $tkdata['aud'] != $expected_aud ) { - $errstr = " : Error: Token fails Tenant ID, tid=" + $tkdata['tid']; - LogStr( $errstr ); + LogStr(" : Error: Token fails audience validation"); + return false; } + $retval = true; } else { @@ -248,10 +308,9 @@ function LogBeginLoginAttempt() function LogTokenData($tkdata) { - $email = SHA256($tkdata['email']); - $strhex = asc2hex($email); - $str = " : OAUTH userId=" + $strhex; - $str = $str + " JWT expiration=" + $tkdata['exp'] ; + $objId = SHA256($tkdata['oid']); + $strhex = asc2hex($objId); + $str = " : OAUTH objectId=" + $objId + " JWT expiration=" + $tkdata['exp']; LogStr( $str ); } From cc2ec44093988f46df5ffc8f23c5d65891d489e0 Mon Sep 17 00:00:00 2001 From: Nithishkumar-T <109725053+Nithishkumar-T@users.noreply.github.com> Date: Thu, 4 Dec 2025 14:18:28 +0530 Subject: [PATCH 3/6] Add changelog for release 1.4.0 --- CHANGELOG.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8228e17..8f832ee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,16 +4,24 @@ All notable changes to this project will be documented in this file. Dates are d Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog). +#### [1.4.0](https://github.com/rdkcentral/webui/compare/1.3.0...1.4.0) + +- RDKB-61349: [SECVULN] Issuer and audience validation missing [`#65`](https://github.com/rdkcentral/webui/pull/65) +- XER10-1896: Adding regex to validate client hostname [`#76`](https://github.com/rdkcentral/webui/pull/76) +- Merge tag '1.3.0' into develop [`1547fb9`](https://github.com/rdkcentral/webui/commit/1547fb9941bcb1c50feb2cb83a36afa0c47eda8f) + #### [1.3.0](https://github.com/rdkcentral/webui/compare/1.2.1...1.3.0) +> 6 November 2025 + - RDKB-61788 : Input elements blocked in WebUI can be bypassed in HCM mode [`#40`](https://github.com/rdkcentral/webui/pull/40) - RDKB-61758: Removed MoCA option in GUI in bridge mode. [`#66`](https://github.com/rdkcentral/webui/pull/66) - RDKB-62246 : Harden WebUI Login - Exclude for sky partner [`#64`](https://github.com/rdkcentral/webui/pull/64) - RDKB-61875: 320MHz BW is not greyed out for ax mode in 6G [`#60`](https://github.com/rdkcentral/webui/pull/60) - RDKB-62077: Failed to add Parental Control Managed Service with Alway… [`#63`](https://github.com/rdkcentral/webui/pull/63) - RDKB-62246 : Harden WebUI Login - Exclude sky dev [`3640651`](https://github.com/rdkcentral/webui/commit/3640651507fcc6b59a0de629aac7a067151da825) +- Add changelog for release [`6c027d8`](https://github.com/rdkcentral/webui/commit/6c027d8fbc9eb1949c0a89ea498cb0613caa59aa) - RDKB-62077: Failed to add Parental Control Managed Service with AlwaysBlock enabled [`aeee8d9`](https://github.com/rdkcentral/webui/commit/aeee8d90f5d68201cd96a8fe9172a96f3845c02d) -- RDKB-61875: 320MHz BW is not grayed out for ax mode in 6G [`0295e22`](https://github.com/rdkcentral/webui/commit/0295e22210c281a7a7b453cd94e54f18f63d296e) #### [1.2.1](https://github.com/rdkcentral/webui/compare/1.2.0...1.2.1) From 7a46ce8a5089d971ddb9b72c688ffc27840989d2 Mon Sep 17 00:00:00 2001 From: roushan-tel Date: Thu, 4 Dec 2025 23:05:53 +0530 Subject: [PATCH 4/6] RDKB-62532: Removing 400ns Guard Interval for 11ax/be for WiFi standards (#77) RDKB-62532: Removing 400ns Guard Interval for 11ax/be for WiFi standards Reason for change: 400ns Guard Interval is not applicable for 11ax/be Test Procedure: Build and verify in MSO page Risks: Low Priority: P1 Co-authored-by: anoopchelakkode <65686868+anoopchelakkode@users.noreply.github.com> --- .../xb6/jst/wireless_network_configuration_onewifi.jst | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst b/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst index 4566719..0c51e04 100644 --- a/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst +++ b/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst @@ -1869,7 +1869,9 @@ if($OperatingChannelBandwidth == "6GHz")
- 400ns + + 400ns + />800ns @@ -2121,7 +2123,9 @@ if($OperatingChannelBandwidth == "6GHz")
- 400ns + + 400ns + />800ns @@ -2314,7 +2318,6 @@ if($OperatingChannelBandwidth == "6GHz")
- 400ns />800ns From 805c7eea816b6cb4c5a7e49d8bb2f8193bbcf26b Mon Sep 17 00:00:00 2001 From: satish-kotapati Date: Wed, 10 Dec 2025 04:39:57 +0530 Subject: [PATCH 5/6] RDKBDEV-3296: Xfinity Connection status page returns error 404 Not Found (#49) Reason for change: webui connection status page returns error Test Procedure: login to webui and open connection status page Risks: None Signed-off-by: sai satish kotapati Co-authored-by: Sukanya673 <60687655+Sukanya673@users.noreply.github.com> Co-authored-by: anoopchelakkode <65686868+anoopchelakkode@users.noreply.github.com> --- source/Styles/xb3/jst/connection_status.jst | 4 +++- source/Styles/xb3/jst/includes/utility.jst | 26 ++++++++++----------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/source/Styles/xb3/jst/connection_status.jst b/source/Styles/xb3/jst/connection_status.jst index 7142591..2eba34b 100644 --- a/source/Styles/xb3/jst/connection_status.jst +++ b/source/Styles/xb3/jst/connection_status.jst @@ -419,8 +419,10 @@ if(($allowEthWan=="true") || ($autoWanEnable=="true")) { echo('Active Ethernet WAN'); }else if(strtolower($selectedOperationalMode)=="docsis"){ echo('Active Docsis WAN'); - }else{ + }else if($selectedOperationalMode == "auto"){ echo('Active Auto WAN'); + }else{ + echo('Unknown WAN'); } }else{ $wan_enable= getStr("Device.Ethernet.X_RDKCENTRAL-COM_WAN.Enabled"); diff --git a/source/Styles/xb3/jst/includes/utility.jst b/source/Styles/xb3/jst/includes/utility.jst index ac6dc74..4a9c97a 100644 --- a/source/Styles/xb3/jst/includes/utility.jst +++ b/source/Styles/xb3/jst/includes/utility.jst @@ -1237,20 +1237,18 @@ function current_operationalMode() $selectedOperationalMode=getStr("Device.X_RDKCENTRAL-COM_EthernetWAN.SelectedOperationalMode"); } else{ - if(is_docsis_supported()) { - $docsisEnable =getStr("Device.X_RDK_WanManager.Interface.1.Selection.Enable"); - $ethernetEnable =getStr("Device.X_RDK_WanManager.Interface.2.Selection.Enable"); - } else { - $ethernetEnable = getStr("Device.X_RDK_WanManager.Interface.1.Selection.Enable"); - $docsisEnable = "false"; - } - - if(($ethernetEnable=="true") && ($docsisEnable=="false")){ - $selectedOperationalMode="Ethernet"; - }else if(($ethernetEnable=="false") && ($docsisEnable=="true")){ - $selectedOperationalMode="DOCSIS"; - }else if(($ethernetEnable=="true") && ($docsisEnable=="true")){ - $selectedOperationalMode="Auto"; + $selectedOperationalMode = getStr("Device.X_RDK_WanManager.InterfaceAvailableStatus"); + if ($selectedOperationalMode == "") { + $selectedOperationalMode = "unknown"; + } + else if ($selectedOperationalMode.includes("|")) { + //If more than a single WAN is configured + $selectedOperationalMode = "auto"; + } + else { + // Split the string by comma and extract the first part + $parts = $selectedOperationalMode.split(","); + $selectedOperationalMode = $parts[0]; } } return $selectedOperationalMode; From 71e3c4785f8f67d1ad50151267cf7db9fbee1591 Mon Sep 17 00:00:00 2001 From: roushan-tel Date: Fri, 12 Dec 2025 22:08:50 +0530 Subject: [PATCH 6/6] RDKB-62740: Disable 320MHz for 11ax mode ion 6GHz (#83) RDKB-62740: Disable 320MHz for 11ax mode ion 6GHz Reason for change: 320MHz not supported for 11ax mode in 6GHz Test Procedure: Build and verify in MSO page Risks: Low Priority: P1 --- .../xb6/jst/wireless_network_configuration_onewifi.jst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst b/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst index 0c51e04..70a1fd5 100644 --- a/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst +++ b/source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst @@ -808,6 +808,13 @@ $(document).ready(function() { $("#operation_mode1").prop("disabled", true); } }).trigger("change"); + $("#wireless_mode3").change(function() { + if ("ax"==$("#wireless_mode3").val()) { + $("#channel_bandwidth7").prop("disabled", true); + } else if("ax,be"==$("#wireless_mode3").val() || "be"==$("#wireless_mode3").val()) { + $("#channel_bandwidth7").prop("disabled", false); + } + }).trigger("change"); $("#channel_number").change(function() { show_extch(document.getElementById("channel_number").value); }).trigger("change");