Merge pull request #2225 from unraid/backport-fix-encr-passphrase-7-1

Backport to 7.1: fix for encryption passphrase sometimes incorrect
2026-01-06 01:29:54 -06:00 · 2025-06-02 08:57:22 -07:00
parent d2ec23b9ac ef49c7e6b5
commit 20dd4b85b7
10 changed files with 120 additions and 94 deletions
--- a/emhttp/plugins/dynamix.docker.manager/DockerSettings.page
+++ b/emhttp/plugins/dynamix.docker.manager/DockerSettings.page
@@ -381,7 +381,7 @@ _(IPv4 custom network on interface)_ <?=$network?> (_(optional)_):
 : <input type="checkbox" id="DOCKER_CUSTOM_<?=$port?>_edit" onchange="changeCustom(this.id,4)"<?=$subnet?'checked':''?>><span id="DOCKER_CUSTOM_<?=$port?>_line" class="<?=$subnet?'':'disabled'?>">
  <span class="<?=$ip4class?>">**_(Subnet)_:** <input type="text" id="DOCKER_CUSTOM_<?=$port?>_net" name="DOCKER_SUBNET_<?=$port?>" class="ip4" value="<?=$subnet?>" title="_(IPv4 address A.B.C.D)_"<?=$disabled?>>/
  <select id="DOCKER_CUSTOM_<?=$port?>_mask" name="DOCKER_MASK_<?=$port?>" class="mask"<?=$disabled?>>
-  <?for ($m=16; $m<=30; $m++) echo mk_option($mask?:24,$m,$m)?></select>
+  <?for ($m=25; $m<=30; $m++) echo mk_option($mask?:24,$m,$m)?></select>
  </span>
  <span class="<?=$gw4class?>">**_(Gateway)_:** <input type="text" id="DOCKER_CUSTOM_<?=$port?>_gw" name="DOCKER_GATEWAY_<?=$port?>" class="ip4" value="<?=htmlspecialchars(_var($dockercfg,"DOCKER_GATEWAY_$port"))?>" title="_(IPv4 address A.B.C.D)_"<?=$disabled?>></span>
  <input type="checkbox" id="DOCKER_CUSTOM_<?=$port?>_dhcp" onchange="customDHCP(this.id,4)"<?=$subnet?'checked':''?><?=$dhcpDisabled?>>
--- a/emhttp/plugins/dynamix/ArrayOperation.page
+++ b/emhttp/plugins/dynamix/ArrayOperation.page
@@ -17,27 +17,37 @@ Nchan="device_list,disk_load,parity_list"
 ?>
 <?
 $keyfile = file_exists(_var($var,'luksKeyfile'));
-$missing = file_exists('/var/tmp/missing.tmp');
 $spot    = _var($var,'mdResyncPos',0)>0;
 $poolsOnly  = (_var($var,'SYS_ARRAY_SLOTS') == 0 ) ? true : false;

 /* only one of $present, $missing, or $wrong will be true, or all will be false */
-$forced = $present = $wrong = false;
-foreach ($disks as $disk) {
-  if (strpos(_var($disk,'fsType'),'luks:')!==false || (_var($disk,'fsType')=='auto' && strpos(_var($var,'defaultFsType'),'luks:')!==false)) $forced = true;
-  if (_var($disk,'luksState',0)==1) $present = true;
-  if (_var($disk,'luksState',0)==2) $missing = true;
-  if (_var($disk,'luksState',0)==3) $wrong = true;
+$forced = $present = $missing = $wrong = false;
+
+foreach (luks_filter($disks) as $disk) {
+  $fsType = _var($disk,'fsType');
+  $luks   = str_starts_with($fsType,'luks:');
+  $auto   = $fsType == 'auto';
+  if ($luks || ($auto && str_starts_with(_var($var,'defaultFsType'),'luks:'))) $forced = true;
+  if ($luks || $auto) switch (_var($disk,'luksState',0)) {
+    case 1: $present = true; break;
+    case 2: $missing = true; break;
+    case 3: $wrong = true; break;
+  }
 }
+
 $encrypt = $forced || $present || $missing || $wrong;
 if ($forced && ($present || $missing || $wrong)) $forced = false;

 function check_encryption() {
  global $forced, $missing, $wrong;
-  if ($forced) $status = _('Enter new key');
-  elseif ($missing) $status = _('Missing key');
-  elseif ($wrong) $status = _('Wrong key');
-  else return;
+  if ($forced)
+    $status = _('Enter new key');
+  elseif ($missing)
+    $status = _('Missing key');
+  elseif ($wrong)
+    $status = _('Wrong key');
+  else
+    return;
  echo "<tr><td></td><td class='gap'>",_('Encryption status').":</td><td><span class='red-text'>$status</span><span id='pass'><input name='luksReformat' type='checkbox' onchange='selectInput(this.form)'>permit reformat</span></td></tr>";
  echo "<tr><td></td><td class='gap'>",_('Encryption input').":</td><td>";
  echo "<select name='input' size='1' onchange='selectInput(this.form)'>";
--- a/emhttp/plugins/dynamix/DiskSettings.page
+++ b/emhttp/plugins/dynamix/DiskSettings.page
@@ -4,8 +4,8 @@ Icon="icon-disks"
 Tag="icon-disk"
 ---
 <?PHP
-/* Copyright 2005-2023, Lime Technology
- * Copyright 2012-2023, Bergware International.
+/* Copyright 2005-2025, Lime Technology
+ * Copyright 2012-2025, Bergware International.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License version 2,
@@ -63,15 +63,30 @@ function setIndex(form) {
 }
 function prepareForm(form) {
 <?if (!$keyfile):?>
-  form.oldluks.value = base64(form.oldtext.value);
+  form.oldluks.value = base64(form.oldtext.value.replace(/\\"/g,'"'));
  form.oldtext.disabled = true;
  form.oldfile.disabled = true;
 <?endif;?>
-  form.newluks.value = base64(form.newtext.value);
-  form.newtext.disabled = true;
-  form.newcopy.disabled = true;
-  form.newfile.disabled = true;
+  var valid = new RegExp('^[ -~]+$');
+  if (form.newinput.value == 'file') return true;
+  if (valid.test(form.newtext.value)) {
+    form.newluks.value = base64(form.newtext.value.replace(/\\"/g,'"'));
+    form.newtext.disabled = true;
+    form.newcopy.disabled = true;
+    form.newfile.disabled = true;
+    return true;
+  } else {
+    swal({
+      title:"_(Printable Characters Only)_",
+      text:"_(Use **ASCII** characters from space ' ' to tilde '~')_<br>_(Otherwise use the **keyfile** method for UTF8 input)_",
+      html:true,
+      type:'error',
+      confirmButtonText:"_(Ok)_"
+    });
+    return false;
+  }
 }
+
 function getFileContent(event,form,file) {
  var input = event.target;
  var reader = new FileReader();
@@ -268,7 +283,7 @@ _(Default critical SSD temperature threshold)_ (&deg;<?=_var($display,'unit','C'

 <?if ($encrypt && $var['fsState']=='Started'):?>
 <div class="title"><span class="left"><i class="title fa fa-key"></i>_(Change encryption key)_</span></div>
-<form markdown="1" method="POST" action="/update.php" target="progressFrame" onsubmit="prepareForm(this)">
+<form markdown="1" method="POST" action="/update.php" target="progressFrame" onsubmit="return prepareForm(this)">
 <input type="hidden" name="#file" value="">
 <input type="hidden" name="#include" value="/webGui/include/update.encryption.php">
 <input type="hidden" name="#reply" value="<?=$reply?>">
--- a/emhttp/plugins/dynamix/Eth0.page
+++ b/emhttp/plugins/dynamix/Eth0.page
@@ -813,7 +813,7 @@ _(IPv4 address assignment)_:
  <?=mk_option(_var($eth0,"USE_DHCP:$i"), 'no', _('Static'))?>
  <?=mk_option(_var($eth0,"USE_DHCP:$i"), '', _('None'))?>
  </select>
-  <span class="gw4-eth0-<?=$i?> hide"><input type="checkbox" name="USE_GW4:<?=$i?>" onchange="selectGW(this.form,4,<?=$i?>,'slow')" <?=_var($eth0,"USE_GW:$i")?'checked':''?>><?=$enable?></span>
+  <span class="gw4-eth0-<?=$i?> hide"><input type="checkbox" name="USE_GW4:<?=$i?>" onchange="selectGW(this.form,4,<?=$i?>,'slow')" <?=_var($eth0,"USE_GW4:$i")?'checked':''?>><?=$enable?></span>

 :eth_ipv4_address_assignment_help:

--- a/emhttp/plugins/dynamix/EthX.page
+++ b/emhttp/plugins/dynamix/EthX.page
@@ -171,7 +171,7 @@ _(IPv4 address assignment)_:
  <?=mk_option(_var($ethX,"USE_DHCP:0"), 'no', _('Static'))?>
  <?=mk_option(_var($ethX,"USE_DHCP:0"), '', _('None'))?>
  </select>
-  <span class="gw4-ethX-0 hide"><input type="checkbox" name="USE_GW4:0" onchange="selectGW(this.form,4,0,'slow')" <?=_var($ethX,"USE_GW:0")?'checked':''?>><?=$enable?></span>
+  <span class="gw4-ethX-0 hide"><input type="checkbox" name="USE_GW4:0" onchange="selectGW(this.form,4,0,'slow')" <?=_var($ethX,"USE_GW4:0")?'checked':''?>><?=$enable?></span>

 :eth_ipv4_address_assignment_help:

@@ -278,7 +278,7 @@ _(IPv4 address assignment)_:
  <?=mk_option(_var($ethX,"USE_DHCP:$i"), 'no', _('Static'))?>
  <?=mk_option(_var($ethX,"USE_DHCP:$i"), '', _('None'))?>
  </select>
-  <span class="gw4-ethX-<?=$i?> hide"><input type="checkbox" name="USE_GW4:<?=$i?>" onchange="selectGW(this.form,4,<?=$i?>,'slow')" <?=_var($ethX,"USE_GW:$i")?'checked':''?>><?=$enable?></span>
+  <span class="gw4-ethX-<?=$i?> hide"><input type="checkbox" name="USE_GW4:<?=$i?>" onchange="selectGW(this.form,4,<?=$i?>,'slow')" <?=_var($ethX,"USE_GW4:$i")?'checked':''?>><?=$enable?></span>

 :eth_ipv4_address_assignment_help:

--- a/emhttp/plugins/dynamix/include/Helpers.php
+++ b/emhttp/plugins/dynamix/include/Helpers.php
@@ -1,6 +1,6 @@
 <?PHP
-/* Copyright 2005-2023, Lime Technology
- * Copyright 2012-2023, Bergware International.
+/* Copyright 2005-2025, Lime Technology
+ * Copyright 2012-2025, Bergware International.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License version 2,
@@ -75,6 +75,9 @@ function data_only($disk) {
 function cache_only($disk) {
  return _var($disk,'type')=='Cache';
 }
+function luks_only($disk) {
+  return _var($disk,'type')=='Data' || _var($disk,'type')=='Cache';
+}
 function main_filter($disks) {
  return array_filter($disks,'main_only');
 }
@@ -87,6 +90,9 @@ function data_filter($disks) {
 function cache_filter($disks) {
  return array_filter($disks,'cache_only');
 }
+function luks_filter($disks) {
+  return array_filter($disks, 'luks_only');
+}
 function pools_filter($disks) {
  return array_unique(array_map('prefix',array_keys(cache_filter($disks))));
 }
@@ -329,13 +335,13 @@ function my_mkdir($dirname,$permissions = 0777,$recursive = false,$own = "nobody
    case "zfs":
      if (is_dir($parent.'/.zfs')) {
        write_logging("ZFS Volume\n");
-        $zfsdataset = trim(shell_exec("zfs list -H -o name  $parent")); 
+        $zfsdataset = trim(shell_exec("zfs list -H -o name  $parent"));
        write_logging("Shell $zfsdataset\n");
        $zfsdataset .= str_replace($parent,"",$dirname);
        write_logging("Dataset $zfsdataset\n");
        $zfsoutput = array();
        if ($recursive) exec("zfs create -p \"$zfsdataset\"",$zfsoutput,$rtncode);else exec("zfs create \"$zfsdataset\"",$zfsoutput,$rtncode);
-        write_logging("Output: {$zfsoutput[0]} $rtncode"); 
+        write_logging("Output: {$zfsoutput[0]} $rtncode");
        if ($rtncode == 0)  write_logging( " ZFS Command OK\n"); else  write_logging( "ZFS Command Fail\n");
      } else {write_logging("Not ZFS dataset\n");$rtncode = 1;}
      if ($rtncode > 0) { mkdir($dirname, $permissions, $recursive); write_logging( "created dir:$dirname\n");} else chmod($zfsdataset,$permissions);
@@ -396,8 +402,8 @@ function my_rmdir($dirname) {
  return($return);
 }
 function get_realvolume($path) {
-  if (strpos($path,"/mnt/user/",0) === 0) 
-    $reallocation = trim(shell_exec("getfattr --absolute-names --only-values -n system.LOCATION ".escapeshellarg($path)." 2>/dev/null")); 
+  if (strpos($path,"/mnt/user/",0) === 0)
+    $reallocation = trim(shell_exec("getfattr --absolute-names --only-values -n system.LOCATION ".escapeshellarg($path)." 2>/dev/null"));
  else {
    $realexplode = explode("/",str_replace("/mnt/","",$path));
    $reallocation = $realexplode[0];
@@ -411,8 +417,7 @@ function write_logging($value) {
  file_put_contents('/tmp/my_mkdir_output', $value, FILE_APPEND);
 }

-function device_exists($name)
-{
+function device_exists($name) {
  global $disks,$devs;
  return (array_key_exists($name, $disks) && !str_contains(_var($disks[$name],'status'),'_NP')) || (array_key_exists($name, $devs));
 }
--- a/emhttp/plugins/dynamix/include/KeyUpload.php
+++ b/emhttp/plugins/dynamix/include/KeyUpload.php
@@ -1,6 +1,6 @@
 <?PHP
-/* Copyright 2005-2023, Lime Technology
- * Copyright 2012-2023, Bergware International.
+/* Copyright 2005-2025, Lime Technology
+ * Copyright 2012-2025, Bergware International.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License version 2,
@@ -11,21 +11,15 @@
 */
 ?>
 <?
-$var = parse_ini_file('/var/local/emhttp/var.ini');
-$ini = '/var/local/emhttp/keyfile.ini';
-$tmp = '/var/tmp/missing.tmp';
+$var  = parse_ini_file('/var/local/emhttp/var.ini');
 $luks = $var['luksKeyfile'];
 $text = $_POST['text'] ?? false;
 $file = $_POST['file'] ?? false;

-if ($text) {
-  file_put_contents($luks, $text);
-} elseif ($file) {
-  file_put_contents($luks, base64_decode(preg_replace('/^data:.*;base64,/','',$file)));
-  @unlink($tmp);
-} elseif (file_exists($luks)) {
+if ($file) {
+  file_put_contents($luks, base64_decode(explode(';base64,',$file)[1]));
+} elseif ($text && file_exists($luks)) {
  unlink($luks);
-  touch($tmp);
 }
 $save = false;
 ?>
--- a/emhttp/plugins/dynamix/include/Wrappers.php
+++ b/emhttp/plugins/dynamix/include/Wrappers.php
@@ -25,14 +25,13 @@ $_arrow_ = '&#187;';
 function file_put_contents_atomic($filename,$data) {
  while (true) {
    $suffix = rand();
-    if ( ! is_file("$filename$suffix") )
-      break;
+    if (!is_file("$filename$suffix")) break;
  }
  $renResult = false;
  $writeResult = @file_put_contents("$filename$suffix",$data) === strlen($data);
-  if ( $writeResult )
+  if ($writeResult)
    $renResult = @rename("$filename$suffix",$filename);
-  if ( ! $writeResult || ! $renResult ) {
+  if (!$writeResult || !$renResult) {
    my_logger("File_put_contents_atomic failed to write / rename $filename");
    @unlink("$filename$suffix");
    return false;
@@ -74,13 +73,13 @@ function agent_fullname($agent, $state) {
 function get_plugin_attr($attr, $file) {
  global $docroot;
  exec("$docroot/plugins/dynamix.plugin.manager/scripts/plugin ".escapeshellarg($attr)." ".escapeshellarg($file), $result, $error);
-  if ($error===0) return $result[0];
+  if ($error === 0) return $result[0];
 }

 function plugin_update_available($plugin, $os=false) {
  $local  = get_plugin_attr('version', "/var/log/plugins/$plugin.plg");
  $remote = get_plugin_attr('version', "/tmp/plugins/$plugin.plg");
-  if ($remote && strcmp($remote,$local)>0) {
+  if ($remote && strcmp($remote,$local) > 0) {
    if ($os) return $remote;
    if (!$unraid = get_plugin_attr('Unraid', "/tmp/plugins/$plugin.plg")) return $remote;
    $server = get_plugin_attr('version', "/var/log/plugins/unRAIDServer.plg");
@@ -102,7 +101,7 @@ function fahrenheit($temp) {

 function displayTemp($temp) {
  global $display;
-  return (is_numeric($temp) && _var($display,'unit')=='F') ? fahrenheit($temp) : $temp;
+  return (is_numeric($temp) && _var($display,'unit') == 'F') ? fahrenheit($temp) : $temp;
 }

 function get_value(&$name, $key, $default) {
@@ -217,11 +216,10 @@ function my_logger($message, $logger='webgui') {
 * @param ?array $getinfo Empty array passed by reference, will contain results of curl_getinfo and curl_error, or null if not needed
 * @return string|false $out The fetched content
 */
-function http_get_contents(string $url, array $opts = [], ?array &$getinfo = NULL) {
+function http_get_contents(string $url, array $opts=[], ?array &$getinfo=NULL) {
  $ch = curl_init();
-  if(isset($getinfo)) {
-    curl_setopt($ch, CURLINFO_HEADER_OUT, TRUE);
-  }
+  if (isset($getinfo))
+    curl_setopt($ch, CURLINFO_HEADER_OUT, true);
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch, CURLOPT_FRESH_CONNECT, true);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
@@ -232,8 +230,8 @@ function http_get_contents(string $url, array $opts = [], ?array &$getinfo = NUL
  curl_setopt($ch, CURLOPT_REFERER, "");
  curl_setopt($ch, CURLOPT_FAILONERROR, true);
  curl_setopt($ch, CURLOPT_USERAGENT, 'Unraid');
-  if(is_array($opts) && $opts) {
-    foreach($opts as $key => $val) {
+  if (is_array($opts) && count($opts) > 0) {
+    foreach ($opts as $key => $val) {
      curl_setopt($ch, $key, $val);
    }
  }
@@ -247,8 +245,8 @@ function http_get_contents(string $url, array $opts = [], ?array &$getinfo = NUL
    $getinfo = curl_getinfo($ch);
  }
  if ($errno = curl_errno($ch)) {
-    $msg = "Curl error $errno: " . (curl_error($ch) ?: curl_strerror($errno)) . ". Requested url: '$url'";
-    if(isset($getinfo)) {
+    $msg = "Curl error $errno: ".(curl_error($ch) ?: curl_strerror($errno)).". Requested url: '$url'";
+    if (isset($getinfo)) {
      $getinfo['error'] = $msg;
    }
    my_logger($msg, "http_get_contents");
@@ -272,4 +270,8 @@ function lan_port($port, $state=false) {
  $exist = file_exists("$system/$port");
  return !$state ? $exist : ($exist ? (@file_get_contents("$system/$port/carrier") ?: 0) : false);
 }
+
+function shieldarg(...$args) {
+  return implode(' ', array_map('escapeshellarg', $args));
+}
 ?>
--- a/emhttp/plugins/dynamix/include/update.encryption.php
+++ b/emhttp/plugins/dynamix/include/update.encryption.php
@@ -1,6 +1,6 @@
 <?PHP
-/* Copyright 2005-2023, Lime Technology
- * Copyright 2012-2023, Bergware International.
+/* Copyright 2005-2025, Lime Technology
+ * Copyright 2012-2025, Bergware International.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License version 2,
@@ -22,63 +22,65 @@ $save   = false;
 $disks  = parse_ini_file('state/disks.ini',true);
 $newkey = parse_ini_file('state/var.ini')['luksKeyfile'] ?: '/root/keyfile';
 $oldkey = dirname($newkey).'/oldfile';
-$delkey = !is_file($newkey);
 $crypto = [];

-foreach (glob('/dev/disk/by-id/*CRYPT-LUKS*',GLOB_NOSORT) as $disk) {
+foreach (glob('/dev/disk/by-id/*CRYPT-LUKS*', GLOB_NOSORT) as $disk) {
  $disk = explode('-',$disk);
  $crypto[] = array_pop($disk);
 }
-if (count($crypto)==0) die();
+if (count($crypto) == 0) reply(_('No encrypted disks found'),'warning');

 function delete_file(...$file) {
-  array_map('unlink',array_filter($file,'is_file'));
+  array_map('unlink', array_filter($file,'is_file'));
 }
-function removeKey($key,$disk) {
+
+function removeKey($key, $disk) {
  $match = $slots = 0;
-  $dump = popen("cryptsetup luksDump /dev/$disk",'r');
-  while (($row = fgets($dump))!==false) {
-    if (strncmp($row,'Version:',8)==0) {
-      switch (trim(explode(':',$row)[1])) {
+  $dump = popen("cryptsetup luksDump ".escapeshellarg("/dev/$disk"), 'r');
+  while (($row = fgets($dump)) !== false) {
+    if (strncmp($row,'Version:',8) == 0) {
+      switch (trim(explode(':', $row)[1])) {
        case 1: $match = '/^Key Slot \d+: ENABLED$/'; break;
        case 2: $match = '/^\s+\d+: luks2$/'; break;
      }
    }
-    if ($match && preg_match($match,$row)) $slots++;
+    if ($match && preg_match($match, $row)) $slots++;
  }
  pclose($dump);
-  if ($slots > 1) exec("cryptsetup luksRemoveKey /dev/$disk $key &>/dev/null");
+  if ($slots > 1) exec("cryptsetup luksRemoveKey ".shieldarg("/dev/$disk", $key)." &>/dev/null");
 }
+
 function diskname($name) {
  global $disks;
-  foreach ($disks as $disk) if (strncmp($name,$disk['device'],strlen($disk['device']))==0) return $disk['name'];
+  foreach ($disks as $disk) if (strncmp($name, $disk['device'], strlen($disk['device'])) == 0) return $disk['name'];
  return $name;
 }
-function reply($text,$type) {
-  global $oldkey,$newkey,$delkey;
+
+function reply($text, $type) {
+  global $oldkey, $newkey;
  $reply = _var($_POST,'#reply');
-  if (realpath(dirname($reply))=='/var/tmp') file_put_contents($reply,$text."\0".$type);
+  if (realpath(dirname($reply)) == '/var/tmp') file_put_contents($reply, $text."\0".$type);
  delete_file($oldkey);
-  if (_var($_POST,'newinput','text')=='text' || $delkey) delete_file($newkey);
+  if (_var($_POST,'newinput','text') == 'text') delete_file($newkey);
  die();
 }

 if (isset($_POST['oldinput'])) {
  switch ($_POST['oldinput']) {
  case 'text':
-    file_put_contents($oldkey,base64_decode(_var($_POST,'oldluks')));
+    file_put_contents($oldkey, base64_decode(_var($_POST,'oldluks')));
    break;
  case 'file':
-    file_put_contents($oldkey,base64_decode(explode(';base64,',_var($_POST,'olddata','x;base64,'))[1]));
+    file_put_contents($oldkey, base64_decode(explode(';base64,',_var($_POST,'olddata','x;base64,'))[1]));
    break;
  }
 } else {
-  if (is_file($newkey)) copy($newkey,$oldkey);
+  if (is_file($newkey)) copy($newkey, $oldkey);
 }

 if (is_file($oldkey)) {
  $disk = $crypto[0]; // check first disk only (key is the same for all disks)
-  exec("cryptsetup luksOpen --test-passphrase --key-file $oldkey /dev/$disk &>/dev/null",$null,$error);
+  exec("cryptsetup luksOpen --test-passphrase --key-file ".shieldarg($oldkey, "/dev/$disk")." &>/dev/null", $null, $error);
 } else $error = 1;

 if ($error > 0) reply(_('Incorrect existing key'),'warning');
@@ -86,25 +88,25 @@ if ($error > 0) reply(_('Incorrect existing key'),'warning');
 if (isset($_POST['newinput'])) {
  switch ($_POST['newinput']) {
  case 'text':
-    file_put_contents($newkey,base64_decode(_var($_POST,'newluks')));
+    file_put_contents($newkey, base64_decode(_var($_POST,'newluks')));
    $luks = 'luksKey';
-    $data = _var($_POST,'newluks');
+    $data = str_replace('+', '%2B', _var($_POST,'newluks'));
    break;
  case 'file':
-    file_put_contents($newkey,base64_decode(explode(';base64,',_var($_POST,'newdata','x;base64,'))[1]));
+    file_put_contents($newkey, base64_decode(explode(';base64,',_var($_POST,'newdata','x;base64,'))[1]));
    $luks = 'luksKey=&luksKeyfile';
    $data = $newkey;
    break;
  }
  $good = $bad = [];
  foreach ($crypto as $disk) {
-    exec("cryptsetup luksAddKey --key-file $oldkey /dev/$disk $newkey &>/dev/null",$null,$error);
-    if ($error==0) $good[] = $disk; else $bad[] = diskname($disk);
+    exec("cryptsetup luksAddKey --key-file ".shieldarg($oldkey, "/dev/$disk", $newkey)." &>/dev/null", $null, $error);
+    if ($error == 0) $good[] = $disk; else $bad[] = diskname($disk);
  }
-  if (count($bad)==0) {
+  if (count($bad) == 0) {
    // all okay, remove the old key
-    foreach ($good as $disk) removeKey($oldkey,$disk);
-    exec("emcmd 'changeDisk=apply&$luks=$data'");
+    foreach ($good as $disk) removeKey($oldkey, $disk);
+    exec("emcmd ".escapeshellarg("changeDisk=apply&$luks=$data"));
    reply(_('Key successfully changed'),'success');
  } else {
    // something went wrong, restore key
--- a/emhttp/plugins/dynamix/nchan/device_list
+++ b/emhttp/plugins/dynamix/nchan/device_list
@@ -1,7 +1,7 @@
 #!/usr/bin/php -q
 <?PHP
-/* Copyright 2005-2023, Lime Technology
- * Copyright 2012-2023, Bergware International.
+/* Copyright 2005-2025, Lime Technology
+ * Copyright 2012-2025, Bergware International.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License version 2,
@@ -126,11 +126,9 @@ function vfs_type(&$disk,$online = false) {
  global $disks, $pools, $crypto;
  $fsType = _var($disk,'fsType','');
  $luks   = '';
-  if (empty($fsType))
-    return $fsType;
-  if ($crypto) switch (_var($disk,'luksState',0)) {
+  if (empty($fsType)) return;
+  if (vfs_luks($fsType) && $crypto) switch (_var($disk,'luksState',0)) {
    case 0:
-      if (vfs_luks($fsType))
      $luks = "<a class='info'><i class='padlock fa fa-unlock-alt orange-text'></i><span>"._('Device to be encrypted')."</span></a>";
      break;
    case 1: