scifijunkie/pwnagotchi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:evilsocket/pwnagotchi

Browse Source
This commit is contained in:
Simone Margaritelli 2019-10-26 17:15:58 +02:00
commit 68c11ada8d
3 changed files with 21 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pwnagotchi/defaults.yml
View File

@ -211,7 +211,7 @@ ui:
video: video:
enabled: true enabled: true
address: '0.0.0.0' address: '0.0.0.0'
origin: '*' origin: null
port: 8080 port: 8080
# command to be executed when a new png frame is available # command to be executed when a new png frame is available
# for instance, to use with framebuffer based displays: # for instance, to use with framebuffer based displays:

33
pwnagotchi/ui/web.py
View File

@ -75,7 +75,7 @@ SHUTDOWN = """<html>
class Handler(BaseHTTPRequestHandler): class Handler(BaseHTTPRequestHandler):
AllowedOrigin = '*' AllowedOrigin = None # CORS headers are not sent
# suppress internal logging # suppress internal logging
def log_message(self, format, *args): def log_message(self, format, *args):
@ -88,12 +88,13 @@ class Handler(BaseHTTPRequestHandler):
self.send_header("X-XSS-Protection", "1; mode=block") self.send_header("X-XSS-Protection", "1; mode=block")
self.send_header("Referrer-Policy", "same-origin") self.send_header("Referrer-Policy", "same-origin")
# cors # cors
self.send_header("Access-Control-Allow-Origin", Handler.AllowedOrigin) if Handler.AllowedOrigin:
self.send_header('Access-Control-Allow-Credentials', 'true') self.send_header("Access-Control-Allow-Origin", Handler.AllowedOrigin)
self.send_header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS") self.send_header('Access-Control-Allow-Credentials', 'true')
self.send_header("Access-Control-Allow-Headers", self.send_header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
"Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization") self.send_header("Access-Control-Allow-Headers",
self.send_header("Vary", "Origin") "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")
self.send_header("Vary", "Origin")
# just render some html in a 200 response # just render some html in a 200 response
def _html(self, html): def _html(self, html):
@ -132,15 +133,18 @@ class Handler(BaseHTTPRequestHandler):
# check the Origin header vs CORS # check the Origin header vs CORS
def _is_allowed(self): def _is_allowed(self):
if not Handler.AllowedOrigin or Handler.AllowedOrigin == '*':
return True
# TODO: FIX doesn't work with GET requests same-origin
origin = self.headers.get('origin') origin = self.headers.get('origin')
if not origin and Handler.AllowedOrigin != '*': if not origin:
logging.warning("request with no Origin header from %s" % self.address_string()) logging.warning("request with no Origin header from %s" % self.address_string())
return False return False
if Handler.AllowedOrigin != '*': if origin != Handler.AllowedOrigin:
if origin != Handler.AllowedOrigin: logging.warning("request with blocked Origin from %s: %s" % (self.address_string(), origin))
logging.warning("request with blocked Origin from %s: %s" % (self.address_string(), origin)) return False
return False
return True return True
@ -186,11 +190,8 @@ class Server(object):
self._address = config['video']['address'] self._address = config['video']['address']
self._httpd = None self._httpd = None
if 'origin' in config['video'] and config['video']['origin'] != '*': if 'origin' in config['video']:
Handler.AllowedOrigin = config['video']['origin'] Handler.AllowedOrigin = config['video']['origin']
else:
logging.warning("THE WEB UI IS RUNNING WITH ALLOWED ORIGIN SET TO *, READ WHY YOU SHOULD CHANGE IT HERE " +
"https://developer.mozilla.org/it/docs/Web/HTTP/CORS")
if self._enabled: if self._enabled:
_thread.start_new_thread(self._http_serve, ()) _thread.start_new_thread(self._http_serve, ())

4
pwnagotchi/utils.py
View File

@ -79,7 +79,7 @@ def load_config(args):
elif config['ui']['display']['type'] in ('papirus', 'papi'): elif config['ui']['display']['type'] in ('papirus', 'papi'):
config['ui']['display']['type'] = 'papirus' config['ui']['display']['type'] = 'papirus'
elif config['ui']['display']['type'] in ('oledhat'): elif config['ui']['display']['type'] in ('oledhat',):
config['ui']['display']['type'] = 'oledhat' config['ui']['display']['type'] = 'oledhat'
elif config['ui']['display']['type'] in ('ws_1', 'ws1', 'waveshare_1', 'waveshare1'): elif config['ui']['display']['type'] in ('ws_1', 'ws1', 'waveshare_1', 'waveshare1'):
@ -91,7 +91,7 @@ def load_config(args):
elif config['ui']['display']['type'] in ('ws_27inch', 'ws27inch', 'waveshare_27inch', 'waveshare27inch'): elif config['ui']['display']['type'] in ('ws_27inch', 'ws27inch', 'waveshare_27inch', 'waveshare27inch'):
config['ui']['display']['type'] = 'waveshare27inch' config['ui']['display']['type'] = 'waveshare27inch'
elif config['ui']['display']['type'] in ('lcdhat'): elif config['ui']['display']['type'] in ('lcdhat',):
config['ui']['display']['type'] = 'lcdhat' config['ui']['display']['type'] = 'lcdhat'
else: else: