From 8dd1c936e28cd793e1fd8d0286bb8f58bf1a9cc1 Mon Sep 17 00:00:00 2001
From: yuanyuanxiang <962914132@qq.com>
Date: Mon, 18 May 2026 23:56:05 +0200
Subject: [PATCH] Security: Web admin password via YAMA_WEB_ADMIN_PASS,
 decoupled from master password

---
 server/2015Remote/2015RemoteDlg.cpp | 17 +++++++++++++----
 server/2015Remote/UIBranding.h      |  5 +++++
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/server/2015Remote/2015RemoteDlg.cpp b/server/2015Remote/2015RemoteDlg.cpp
index 5ced138..89027f6 100644
--- a/server/2015Remote/2015RemoteDlg.cpp
+++ b/server/2015Remote/2015RemoteDlg.cpp
@@ -1877,11 +1877,20 @@ BOOL CMy2015RemoteDlg::OnInitDialog()
     auto webSvrPort = THIS_CFG.GetInt("settings", "WebSvrPort", -1);
     if (webSvrPort > 0) {
         WebService().SetParentDlg(this);
-        // Use master password as web login password
-        if (!m_superPass.empty()) {
-            WebService().SetAdminPassword(m_superPass);
+        // Pick web admin password: prefer the web-specific env var so the
+        // Web UI password can be rotated independently of the master
+        // password (BRAND_ENV_VAR) used for licensing / sub-server HMAC.
+        // Fall back to m_superPass for backward compatibility — existing
+        // deployments keep working without changing env vars.
+        const char* webPassEnv = getenv(BRAND_WEB_ENV_VAR);
+        std::string webPass = (webPassEnv && *webPassEnv) ? webPassEnv : m_superPass;
+        if (!webPass.empty()) {
+            WebService().SetAdminPassword(webPass);
+            Mprintf("[WebService] Admin password configured from %s\n",
+                    (webPassEnv && *webPassEnv) ? BRAND_WEB_ENV_VAR : BRAND_ENV_VAR);
         } else {
-            Mprintf("[WebService] Warning: No master password set, web login disabled\n");
+            Mprintf("[WebService] Warning: neither %s nor %s set, web login disabled\n",
+                    BRAND_WEB_ENV_VAR, BRAND_ENV_VAR);
         }
         // HideWebSessions: 1=hide (default), 0=show (for debugging)
         WebService().SetHideWebSessions(THIS_CFG.GetInt("settings", "HideWebSessions", 1) != 0);
diff --git a/server/2015Remote/UIBranding.h b/server/2015Remote/UIBranding.h
index e8b3a16..e9ed0b4 100644
--- a/server/2015Remote/UIBranding.h
+++ b/server/2015Remote/UIBranding.h
@@ -293,6 +293,11 @@
 #define BRAND_LICENSE_MAGIC     "YAMA"      // 许可证魔数
 #define BRAND_EVENT_PREFIX      "YAMA"      // 进程事件名前缀
 #define BRAND_ENV_VAR           "YAMA_PWD"  // 环境变量名（set YAMA_PWD=密码）
+// Web UI 专用 admin 密码；优先级高于 BRAND_ENV_VAR。两者都未设置时退回到
+// 兼容行为（用 m_superPass）。隔离的目的是让公网 Web 登录密码与下级授权
+// 用的 master password 解耦——后者一旦泄漏影响面更大，应避免在公网登录
+// 时复用。与 Go 服务端的 YAMA_WEB_ADMIN_PASS 语义一致。
+#define BRAND_WEB_ENV_VAR       "YAMA_WEB_ADMIN_PASS"
 
 // --- 宽字符版本（自动生成）---
 #define BRAND_APP_NAME_W        _T(BRAND_APP_NAME)