From a4d4588509fdd151ad173b1d17ee87b35668a23f Mon Sep 17 00:00:00 2001
From: bergware <bergware@users.noreply.github.com>
Date: Sat, 11 Jan 2020 07:29:19 +0100
Subject: [PATCH 1/6] User password: hide base64 conversion

---
 plugins/dynamix/UserAdd.page  | 14 +++++++++-----
 plugins/dynamix/UserEdit.page | 14 +++++++++-----
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/plugins/dynamix/UserAdd.page b/plugins/dynamix/UserAdd.page
index 5540ff0b9..0366746ea 100644
--- a/plugins/dynamix/UserAdd.page
+++ b/plugins/dynamix/UserAdd.page
@@ -55,15 +55,17 @@ function checkUsername(form) {
     swal({title:"Invalid user name",text:"Do not use reserved names",type:"error"});
     return false;
   }
-  if (form.userPassword.value.length > 128 || form.userPasswordConf.value.length > 128) {
+  if (form.userPasswordGUI.value.length > 128 || form.userPasswordConfGUI.value.length > 128) {
     swal({title:"Password too long",text:"Use a password up to 128 characters",type:"error"});
     return false;
   }
   if (filename) {
     $.post("/webGui/include/FileUpload.php",{cmd:'save',path:path,filename:filename,output:username+'.png'});
   }
-  form.userPassword.value = base64(form.userPassword.value);
-  form.userPasswordConf.value = base64(form.userPasswordConf.value);
+  form.userPassword.value = base64(form.userPasswordGUI.value);
+  form.userPasswordConf.value = base64(form.userPasswordConfGUI.value);
+  form.userPasswordGUI.disabled = true;
+  form.userPasswordConfGUI.disabled = true;
   return true;
 }
 
@@ -138,12 +140,14 @@ Custom image:
 > The image will be scaled to 48x48 pixels in size. The maximum image file upload size is 95 kB (97,280 bytes).
 
 Password:
-: <input type="password" name="userPassword" maxlength="129" onKeyUp="this.form.cmdUserEdit.disabled=(this.form.userName.value=='' || this.form.userPassword.value!=this.form.userPasswordConf.value)">
+<input type="hidden" name="userPassword" value="">
+: <input type="password" name="userPasswordGUI" maxlength="129" onKeyUp="this.form.cmdUserEdit.disabled=(this.form.userName.value=='' || this.form.userPasswordGUI.value!=this.form.userPasswordConfGUI.value)">
 
 > Up to 128 characters.
 
 Retype password:
-: <input type="password" name="userPasswordConf" maxlength="129" onKeyUp="this.form.cmdUserEdit.disabled=(this.form.userName.value=='' || this.form.userPassword.value!=this.form.userPasswordConf.value)">
+<input type="hidden" name="userPasswordConf" value="">
+: <input type="password" name="userPasswordConfGUI" maxlength="129" onKeyUp="this.form.cmdUserEdit.disabled=(this.form.userName.value=='' || this.form.userPasswordGUI.value!=this.form.userPasswordConfGUI.value)">
 
 &nbsp;
 : <input type="submit" name="cmdUserEdit" value="Add" disabled><input type="button" value="Done" onclick="done('UserAdd')">
diff --git a/plugins/dynamix/UserEdit.page b/plugins/dynamix/UserEdit.page
index 804f4cf6f..5ce5c7c51 100644
--- a/plugins/dynamix/UserEdit.page
+++ b/plugins/dynamix/UserEdit.page
@@ -47,12 +47,14 @@ var path = '/boot/config/plugins/dynamix/users';
 var filename = '';
 
 function checkPassword(form) {
-  if (form.userPassword.value.length > 128 || form.userPasswordConf.value.length > 128) {
+  if (form.userPasswordGUI.value.length > 128 || form.userPasswordConfGUI.value.length > 128) {
     swal({title:"Password too long",text:"Use a password up to 128 characters",type:"error"});
     return false;
   }
-  form.userPassword.value = base64(form.userPassword.value);
-  form.userPasswordConf.value = base64(form.userPasswordConf.value);
+  form.userPassword.value = base64(form.userPasswordGUI.value);
+  form.userPasswordConf.value = base64(form.userPasswordConfGUI.value);
+  form.userPasswordGUI.disabled = true;
+  form.userPasswordConfGUI.disabled = true;
   return true;
 }
 
@@ -157,12 +159,14 @@ Delete<input type="checkbox" name="confirmDelete" onChange="chkDelete(this.form,
 <form markdown="1" method="POST" action="/update.htm" target="progressFrame" onsubmit="return checkPassword(this)">
 <input type="hidden" name="userName" value="<?=htmlspecialchars($name)?>">
 Password:
-: <input type="password" name="userPassword" maxlength="129" onKeyUp="this.form.cmdUserEdit.disabled=(this.form.userPassword.value != this.form.userPasswordConf.value);">
+<input type="hidden" name="userPassword" value="">
+: <input type="password" name="userPasswordGUI" maxlength="129" onKeyUp="this.form.cmdUserEdit.disabled=(this.form.userPasswordGUI.value != this.form.userPasswordConfGUI.value);">
 
 > Up to 128 characters.
 
 Retype password:
-: <input type="password" name="userPasswordConf" maxlength="129" onKeyUp="this.form.cmdUserEdit.disabled=(this.form.userPassword.value != this.form.userPasswordConf.value);">
+<input type="hidden" name="userPasswordConf" value="">
+: <input type="password" name="userPasswordConfGUI" maxlength="129" onKeyUp="this.form.cmdUserEdit.disabled=(this.form.userPasswordGUI.value != this.form.userPasswordConfGUI.value);">
 
 &nbsp;
 : <input type="submit" name="cmdUserEdit" value="Change" disabled><input type="button" value="Done" onclick="done('UserEdit')">

From 7805001f1f572db882881363ba02ce7d06041a4a Mon Sep 17 00:00:00 2001
From: bergware <bergware@users.noreply.github.com>
Date: Sun, 12 Jan 2020 10:06:56 +0100
Subject: [PATCH 2/6] Select username field when login page is loaded

---
 login.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/login.php b/login.php
index 3a877b663..ed2ded119 100644
--- a/login.php
+++ b/login.php
@@ -339,7 +339,7 @@ $theme_dark = in_array($display['theme'],['black','gray']);
 
                 <form action="/login" method="POST">
                     <p>
-                        <input name="username" type="text" placeholder="Username" required>
+                        <input name="username" type="text" placeholder="Username" autofocus required>
                         <input name="password" type="password" placeholder="Password" required>
                     </p>
                     <? if ($error) echo '<p class="error">'.$error.'</p>'; ?>

From 7bc3ddfded7f7dc5062968865792e54296f8b408 Mon Sep 17 00:00:00 2001
From: bergware <bergware@users.noreply.github.com>
Date: Sun, 12 Jan 2020 22:26:45 +0100
Subject: [PATCH 3/6] login: autocapitalize="none"

---
 login.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/login.php b/login.php
index ed2ded119..e37942d81 100644
--- a/login.php
+++ b/login.php
@@ -339,7 +339,7 @@ $theme_dark = in_array($display['theme'],['black','gray']);
 
                 <form action="/login" method="POST">
                     <p>
-                        <input name="username" type="text" placeholder="Username" autofocus required>
+                        <input name="username" type="text" placeholder="Username" autocapitalize="none" autofocus required>
                         <input name="password" type="password" placeholder="Password" required>
                     </p>
                     <? if ($error) echo '<p class="error">'.$error.'</p>'; ?>

From 76323ecc5c40240030a4d431728dadcff88c906e Mon Sep 17 00:00:00 2001
From: bergware <bergware@users.noreply.github.com>
Date: Sun, 12 Jan 2020 22:31:09 +0100
Subject: [PATCH 4/6] Login: trim trailing spaces

---
 login.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/login.php b/login.php
index e37942d81..630c5aac9 100644
--- a/login.php
+++ b/login.php
@@ -31,7 +31,7 @@ if ($_SERVER['REQUEST_URI'] == '/logout') {
             $_SESSION['unraid_user'] = $_POST['username'];
             session_regenerate_id(true);
             session_write_close();
-            exec("logger -t webGUI ".escapeshellarg("Successful login user {$_POST['username']} from {$_SERVER['REMOTE_ADDR']}"));        
+            exec("logger -t webGUI ".escapeshellarg("Successful login user {$_POST['username']} from {$_SERVER['REMOTE_ADDR']}"));
             header("Location: /".$var['START_PAGE']);
             exit;
         }

From 3a7fa8c351f4e106c921445412a733ecd4027fd8 Mon Sep 17 00:00:00 2001
From: bergware <bergware@users.noreply.github.com>
Date: Mon, 13 Jan 2020 22:07:21 +0100
Subject: [PATCH 5/6] Passphrase printable charcaters only

---
 plugins/dynamix/ArrayOperation.page | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/plugins/dynamix/ArrayOperation.page b/plugins/dynamix/ArrayOperation.page
index 4e05f755a..cb12658d1 100644
--- a/plugins/dynamix/ArrayOperation.page
+++ b/plugins/dynamix/ArrayOperation.page
@@ -131,8 +131,18 @@ function prepareInput(form) {
   form.text.disabled = true;
   form.copy.disabled = true;
   if (form.text.value) {
-    $(form).append('<input type="hidden" name="luksKey" value="'+base64(form.text.value)+'">');
-    form.submit();
+    var valid = new RegExp('^[ -~]+$');
+    if (valid.test(form.text.value)) {
+      $(form).append('<input type="hidden" name="luksKey" value="'+base64(form.text.value)+'">');
+      form.submit();
+    } else {
+      form.input.disabled = false;
+      form.local.disabled = false;
+      form.file.disabled = false;
+      form.text.disabled = false;
+      form.copy.disabled = false;
+      swal({title:'Printable Characters Only',text:'Use <b>ASCII</b> characters from space " " to tilde "~"<br>Otherwise use the <b>keyfile</b> method for UTF8 input',html:true,type:'error'});
+    }
     return;
   }
   var data = {};

From b651ef23e91e31488aa39b55c25c7c9b10f001ae Mon Sep 17 00:00:00 2001
From: bergware <bergware@users.noreply.github.com>
Date: Tue, 14 Jan 2020 08:14:59 +0100
Subject: [PATCH 6/6] Encryption: enforced keyfile selection/deletion when file
 exists

---
 plugins/dynamix/ArrayOperation.page | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/plugins/dynamix/ArrayOperation.page b/plugins/dynamix/ArrayOperation.page
index cb12658d1..68922ee1b 100644
--- a/plugins/dynamix/ArrayOperation.page
+++ b/plugins/dynamix/ArrayOperation.page
@@ -42,7 +42,7 @@ function check_encryption() {
   echo mk_option(1,'text','Passphrase');
   echo mk_option(1,'file','Keyfile');
   echo "</select></td></tr>";
-  echo "<tr id='text'><td></td><td class='gap'>Passphrase:</td><td><input type='password' name='text' maxlength='512' value='' onkeyup='selectInput(this.form)'><input name='showPass' type='checkbox' onchange='selectInput(this.form)'>show passphrase</td></tr>";
+  echo "<tr id='text'><td></td><td class='gap'>Passphrase:</td><td><input type='password' name='text' maxlength='512' value='' onkeyup='selectInput(this.form)' placeholder='use printable characters only'><input name='showPass' type='checkbox' onchange='selectInput(this.form)'>show passphrase</td></tr>";
   echo "<tr id='copy'><td></td><td class='gap'>Retype passphrase:</td><td><input type='password' name='copy' maxlength='512' value='' onkeyup='selectInput(this.form)'></td></tr>";
   echo "<tr id='file'><td></td><td class='gap'>Keyfile:</td><td><input type='file' name='local' onchange='getFileContent(event,this.form)'></td></tr>";
 }
@@ -80,6 +80,10 @@ span#pass{display:none;margin-left:20px}
 var ctrl = "<span class='status <?=$tabbed?'':'vhshift'?>'><a style='cursor:pointer' class='tooltip_diskio' title='Toggle reads/writes display' onclick='toggle_diskio();return false'><i class='toggle fa'></i></a></span>";
 
 function selectInput(form) {
+<?if ($wrong && $keyfile):?>
+  form.input.value = 'file';
+  form.input.disabled = true;
+<?endif;?>
   if (form.input.value == 'text') {
     form.file.value = '';
     form.local.value = '';