From d84b5fdfd894ffe3cd0a2e3b87ac0c4ea38def13 Mon Sep 17 00:00:00 2001
From: Theo Arends <11044339+arendst@users.noreply.github.com>
Date: Sun, 21 Feb 2021 14:17:51 +0100
Subject: [PATCH] Fix web request accepts wrong password

Fix web request accepts wrong password (#11039)
---
 CHANGELOG.md                  | 1 +
 RELEASENOTES.md               | 1 +
 tasmota/xdrv_01_webserver.ino | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f565c2f0c..bec272b29 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ All notable changes to this project will be documented in this file.
 - Shutter driver (#11055)
 - ESP32 Mi32 driver (#11048)
 - TM1637 driver now needs ``TM1637 CLK`` and ``TM1637 DIO`` to enable (#11057)
+- Web request accepts wrong password (#11039)
 
 ## [Released]
 
diff --git a/RELEASENOTES.md b/RELEASENOTES.md
index 97b9f1316..8f8ac126a 100644
--- a/RELEASENOTES.md
+++ b/RELEASENOTES.md
@@ -88,3 +88,4 @@ The attached binaries can also be downloaded from http://ota.tasmota.com/tasmota
 - Shutter driver [#11055](https://github.com/arendst/Tasmota/issues/11055)
 - ESP32 Mi32 driver [#11048](https://github.com/arendst/Tasmota/issues/11048)
 - TM1637 driver now needs ``TM1637 CLK`` and ``TM1637 DIO`` to enable [#11057](https://github.com/arendst/Tasmota/issues/11057)
+- Web request accepts wrong password [#11039](https://github.com/arendst/Tasmota/issues/11039)
diff --git a/tasmota/xdrv_01_webserver.ino b/tasmota/xdrv_01_webserver.ino
index de6eb9abc..4ded970b9 100644
--- a/tasmota/xdrv_01_webserver.ino
+++ b/tasmota/xdrv_01_webserver.ino
@@ -2676,7 +2676,7 @@ void HandleHttpCommand(void)
     // Prefer authorization via HTTP header (Basic auth), if it fails, use legacy method via GET parameters
     char tmp1[33];
     WebGetArg(PSTR("user"), tmp1, sizeof(tmp1));
-    char tmp2[strlen(SettingsText(SET_WEBPWD)) + 1];
+    char tmp2[strlen(SettingsText(SET_WEBPWD)) + 2];  // Need space for an entered password longer than set password
     WebGetArg(PSTR("password"), tmp2, sizeof(tmp2));
 
     if (!(!strcmp(tmp1, WEB_USERNAME) && !strcmp(tmp2, SettingsText(SET_WEBPWD)))) {