Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Ivan Grokhotkov
@igrr
just fail hard and fast
Me No Dev
@me-no-dev
is that the only reason why write would fail?
Ivan Grokhotkov
@igrr
It may also fail due to EMI or bad power supply, but those issues should, IMO, be made as obvious as possible.
Me No Dev
@me-no-dev
ok, hard fail it is :)
Mehrdad K
@mkeyno
hi every one , so sorry for any interrupt, can anyone tell how to catch ip address of client connected to webserver in AP and Station mode ,? is following code correct
ESP8266WebServer server(80);

void handleRoot() {
  Serial.print("this request if from=");Serial.println(server.client().remoteIP());

  server.send(200, "text/html", "<h1>You are connected to slave node</h1>");
}
Hagai Shatz
@hagai-shatz
@everslick and @me-no-dev, why do we have to send 'Content-Disposition: inline; filename='...' with every file that we serve? This is an overhead TMOH and also expose the actual file location in the file system. Sorry I was not following the full discussion on it, but as far as I can read this is not HTTP standard and has some security risks: stackoverflow
Me No Dev
@me-no-dev
@hagai-shatz so it was better before?
@mkeyno if(server.client().localIP() != WiFi. localIP()){ server.send(200, "text/html", "<h1>You are connected to my AP</h1>"); }
Hagai Shatz
@hagai-shatz
I'm not sure... I think it is good to add Content-Disposition: attachment; filename='...' to force download, but I think it is better to only provide the file name without the path.
@everslick what is the case to add 'inline'? Maybe it is only relevant to some file types?
This message was deleted
Me No Dev
@me-no-dev
yeah, but... in case where AP is off and STA is in the same subnet as AP it will false positive
best to check against STA IP
Mehrdad K
@mkeyno
thanks dear @me-no-dev and sorry @hagai-shatz for crossing , but who has the client.IP registration? is there another choose between localIP() & remoteIP() , I want to catch the authorize IP to process it's command
Me No Dev
@me-no-dev
client ip registration?
Mehrdad K
@mkeyno
IP of connected Client
Me No Dev
@me-no-dev
server.client().remoteIP() is it's remote IP
localIP is the IP that the client connected to
Ivan Grokhotkov
@igrr
i think @mkeyno wants to get the IP of the client
so its server.client().remoteIP()
Mehrdad K
@mkeyno
thanks Ivan , yes , but I want to sure that, my way to check authorized IP with server.client().remoteIP() is correct
Ivan Grokhotkov
@igrr
what's "authorized IP"?
Me No Dev
@me-no-dev
and what is your way of checking it?
Mehrdad K
@mkeyno
authorized client , I want check authentication with client's IP
Ivan Grokhotkov
@igrr
lol, how much security that adds I wonder?
Mehrdad K
@mkeyno
compare it with pre save IP's
Ivan Grokhotkov
@igrr
basically, as an attacker, i can set myself any static IP
and then cycle through all subnet IPs until i find one which is authorized
Me No Dev
@me-no-dev
if you are in the subnet
Mehrdad K
@mkeyno
wow!!!?? such dumb I am, so what should I do Ivan
Me No Dev
@me-no-dev
there is authorization in the server
Ivan Grokhotkov
@igrr
yeah, at least use the basic-security thing in the web server, although it won't stand against wireshark.
Mehrdad K
@mkeyno
this is only for users intend to open the webpage from SPIFF
but what if two machine intend to talk each other in pre set secure line
Me No Dev
@me-no-dev
http talk?
Ivan Grokhotkov
@igrr
since we don't have HTTPS in webserver (yet...), your best bet would be to use something like DIGEST-MD5
Me No Dev
@me-no-dev
@igrr I think we can bring real digest md5 to the server for auth
Mehrdad K
@mkeyno
My Sensor ESP module send data to my ESP actuator module , so I must be sure someone else don't send unauthorized action to the actuator module
I can set ip address of sensor module in my actuator module , but as you say it is totally leak
Ivan Grokhotkov
@igrr
quick fix: use MQTT. add an MQTT broker to the system, make sensors and actuators connect to the MQTT broker with TLS and client certificate authentication, and that's going to be pretty secure
Mehrdad K
@mkeyno
wow Ivan your offer is quit lot of time for me
Ivan Grokhotkov
@igrr
another way: authenticate the command from sensor to actuator with HMAC-MD5
Mehrdad K
@mkeyno
what is the HMAC0-MD5?
do you have any example of that
Ivan Grokhotkov
@igrr
it's a hash message authentication code based on MD5
Mehrdad K
@mkeyno
ok , thanks you guys , sorry for this interrupt , please continue to your professional discussion
Hagai Shatz
@hagai-shatz
We are all professionals @mkeyno , you are one of us now! ;-)
Mehrdad K
@mkeyno
no , I'm novice walking in the Gods presence
Hagai Shatz
@hagai-shatz

From RFC6266 section 4.2:

On the other hand, if it matches "inline" (case-insensitively), this implies default processing. Therefore, the disposition type "inline" is only useful when it is augmented with additional parameters, such as the filename (see below).

Hagai Shatz
@hagai-shatz
To my understanding, this code is more to the point (not tested):
  if(download) {
    // set filename and force download
    int filenameStart = path.lastIndexOf('/') + 1;
    char buf[26+path.length()-filenameStart];
    char* filename = (char*)path.c_str() + filenameStart;
    snprintf(buf, sizeof (buf), "attachment; filename='%s'", filename);
    addHeader("Content-Disposition", buf);
  }
Me No Dev
@me-no-dev
@everslick had some issues vewing files, but that could have been due to ContentType