From 8d71040acfec06095abce2f48be8affd4b2d1d92 Mon Sep 17 00:00:00 2001
From: Dmitry Monakhov <dmonakhov@gmail.com>
Date: Tue, 2 Jun 2026 18:13:46 +0200
Subject: [PATCH] Don't restore cached backup password (bkpw) from backup file

Restore mirrored the write-side strip of bkpw: a crafted backup could inject
setting.bkpw and fixate the password used for future backups. Drop it on restore
---
 shared/backups.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/shared/backups.py b/shared/backups.py
index 169533b8..07fb2f56 100644
--- a/shared/backups.py
+++ b/shared/backups.py
@@ -201,6 +201,13 @@ def restore_from_dict_ll(vals, raw):
 
         k = key[8:]
 
+        if k == 'bkpw':
+            # never import a cached backup password from a backup file.
+            # write-side (render_backup_contents) strips bkpw, so a present
+            # value means a tampered/crafted file trying to fixate the
+            # password used for all FUTURE backups - drop it.
+            continue
+
         if k == 'sd2fa':
             # do NOT restore sd2fa as SD card can be lost or damaged
             # new version of firmware 5.1.3+ will not back sd2fa