Fix enduser_setup default POST request #2852
Conversation
There was a problem hiding this comment.
I am still wondering why it didn't fail when I tested the module before we merged it 😕.
I didn't understand half of the C-code I was just scanning but IMO this isn't a proper fix.
This violates the behavior documented in @return of the function but that's just a detail. I feel a fix should go into enduser_setup_http_handle_credentials around lines 817ff.
- check if it's a GET request, we use
if (strncmp(data, "GET ", 4) == 0)elsewhere, and if so then run the existing code - else run some alternate code that handles
wifi_ssid=xxx&wifi_password=aa<EOL>orwifi_password=aa&wifi_ssid=xxx<EOL>orcustom_param=bb&wifi_password=aa&wifi_ssid=xxx<EOL>(i.e. searching for&or<EOL>?)
|
@marcelstoer Marcel, I agree that the fix ist not perfect. That's the problem with comments, they always are not adapted to code changes. But that's a different discussion. A Proper fix would IMHO be to extract the params in the respective GET and POST handler and pass only this substring I could also leave |
True, that sounds like a good plan - as long as we keep in mind that the string may contain other
👍 IMHO rolling back is not an option, forward-fixing is. |
|
This should be fixed in a better way now. |
app/modules/enduser_setup.c
Outdated
| * | ||
| * Search string for first occurence of any char in srch_str. | ||
| * Search string for first occurence of deliemiter '&' or ' '. |
There was a problem hiding this comment.
I think there are few naming/linguistic issues. All of them tiny but in combination this isn't easy to comprehend:
- I don't understand the second sentence in this comment.
@return -1 if...- no longer trueget_len(const char *str)is extremely generic, can the function and the param be named more precisely?*stris expected to be a "value&key=..." string, no?
There was a problem hiding this comment.
ok. To avoid more checkins:
/**
* Get length of param value
*
* This is being called with a fragment of the parameters passed in the
* URL for GET requests or part of the body of a POST request.
* The string will look like one of these
* "SecretPassword HTTP/1.1"
* "SecretPassword&wifi_ssid=..."
* "SecretPassword"
* The string is searched for the first occurence of deliemiter '&' or ' '.
* If found return the length up to that position.
* If not found return the length of the string.
*
*/
static int enduser_setup_get_lenth_of_param_value(const char *str)
|
Are you using an enduser_setup.html file on the SPIFFS Filesystem or the built in version? |
|
Omg, answered so fast,before I deleted question by seeing that I'm posting into pull request. I'm using builtin version, will try to read how to use it properly, thought so, that I did not saw all the changes. Thank you |
partially fixes #2847.
devbranch rather than formaster.Rational
the out of the box enduser_setup does not work as the param parsing fails.
It assumes to have a ' ' or '&' to terminate the params.
While this is true for the GET request (where the params are part of the URL which is followed by " HTTP/1.1" it does not hold for POST requests, where the message ends with the last char of the params.
This fix returns a false positive if the request is malformed and does not have a space to terminate the URL.
But since message parsing is not very strict anyhow that should be OK (for now)