From b4ac68eee571300d1fd77966a3b561954f1e2a8b Mon Sep 17 00:00:00 2001
From: fvanroie <15969459+fvanroie@users.noreply.github.com>
Date: Sat, 5 Feb 2022 03:13:54 +0100
Subject: [PATCH] Http password could be overwritten by 8 asterisks

---
 src/sys/svc/hasp_http.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/sys/svc/hasp_http.cpp b/src/sys/svc/hasp_http.cpp
index a07c1dbe..a8393429 100644
--- a/src/sys/svc/hasp_http.cpp
+++ b/src/sys/svc/hasp_http.cpp
@@ -534,7 +534,8 @@ static void webHandleApiConfig()
         return;
     }
 
-    if(!settings[FPSTR(FP_CONFIG_PASS)].isNull()) {
+    // Mask non-blank passwords
+    if(!settings[FPSTR(FP_CONFIG_PASS)].isNull() && settings[FPSTR(FP_CONFIG_PASS)].as<String>().length() != 0) {
         settings[FPSTR(FP_CONFIG_PASS)] = D_PASSWORD_MASK;
     }
 
@@ -2458,7 +2459,8 @@ bool httpSetConfig(const JsonObject& settings)
         strncpy(http_config.username, settings[FPSTR(FP_CONFIG_USER)], sizeof(http_config.username));
     }
 
-    if(!settings[FPSTR(FP_CONFIG_PASS)].isNull()) {
+    if(!settings[FPSTR(FP_CONFIG_PASS)].isNull() &&
+       settings[FPSTR(FP_CONFIG_PASS)].as<String>() != String(FPSTR(D_PASSWORD_MASK))) {
         changed |= strcmp(http_config.password, settings[FPSTR(FP_CONFIG_PASS)]) != 0;
         strncpy(http_config.password, settings[FPSTR(FP_CONFIG_PASS)], sizeof(http_config.password));
     }