diff --git a/CHANGELOG.md b/CHANGELOG.md index b2776016c..037d14613 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file. - Neopool commands ``NPPHRes``, ``NPCLRes`` and ``NPIonRes`` (#12813) - Support for (Yeelight) Mi Desk Pro using binary tasmota32solo1.bin - Initial support for influxdb using ``#define USE_INFLUXDB`` and several ``Ifx`` commands +- Command ``SetOption128 1`` disabling web referer check default blocking HTTP web commands (#12828) ### Changed - NeoPixelBus library from v2.6.3 to v2.6.7 diff --git a/RELEASENOTES.md b/RELEASENOTES.md index 7d4304165..9831112fc 100644 --- a/RELEASENOTES.md +++ b/RELEASENOTES.md @@ -118,6 +118,7 @@ The latter links can be used for OTA upgrades too like ``OtaUrl http://ota.tasmo - Support for CAN bus and Freedom Won Battery Management System by Marius Bezuidenhout [#12651](https://github.com/arendst/Tasmota/issues/12651) - Optional IP filter to command ``TCPStart`` [#12806](https://github.com/arendst/Tasmota/issues/12806) - Inital support for Wi-Fi extender [#12784](https://github.com/arendst/Tasmota/issues/12784) +- Command ``SetOption128 1`` disabling web referer check default blocking HTTP web commands [#12828](https://github.com/arendst/Tasmota/issues/12828) ### Changed - Move firmware binaries to https://github.com/arendst/Tasmota-firmware/tree/main/release-firmware diff --git a/tasmota/settings.h b/tasmota/settings.h index 213826be8..9fb21e886 100644 --- a/tasmota/settings.h +++ b/tasmota/settings.h @@ -157,7 +157,7 @@ typedef union { // Restricted by MISRA-C Rule 18.4 bu uint32_t zigbee_hide_bridge_topic : 1; // bit 11 (v9.3.1.1) - SetOption125 - (Zigbee) Hide bridge topic from zigbee topic (use with SetOption89) (1) uint32_t ds18x20_mean : 1; // bit 12 (v9.3.1.2) - SetOption126 - (DS18x20) Enable arithmetic mean over teleperiod for JSON temperature (1) uint32_t wifi_no_sleep : 1; // bit 13 (v9.5.0.2) - SetOption127 - (Wifi) Keep wifi in no-sleep mode, prevents some occasional unresponsiveness - uint32_t spare14 : 1; // bit 14 + uint32_t disable_referer_chk : 1; // bit 14 (v9.5.0.5) - SetOption128 - (Web) Allow access without referer check uint32_t spare15 : 1; // bit 15 uint32_t spare16 : 1; // bit 16 uint32_t spare17 : 1; // bit 17 diff --git a/tasmota/xdrv_01_webserver.ino b/tasmota/xdrv_01_webserver.ino index 2b250251f..b514df0f6 100644 --- a/tasmota/xdrv_01_webserver.ino +++ b/tasmota/xdrv_01_webserver.ino @@ -400,6 +400,9 @@ const uint16_t DNS_PORT = 53; enum HttpOptions {HTTP_OFF, HTTP_USER, HTTP_ADMIN, HTTP_MANAGER, HTTP_MANAGER_RESET_ONLY}; enum WifiTestOptions {WIFI_NOT_TESTING, WIFI_TESTING, WIFI_TEST_FINISHED, WIFI_TEST_FINISHED_BAD}; +const char * headerKeys[] = {"Referer"}; +const size_t numberOfHeaders = 1; + DNSServer *DnsServer; ESP8266WebServer *Webserver; @@ -542,6 +545,9 @@ void StartWebserver(int type, IPAddress ipweb) if (!Web.state) { if (!Webserver) { Webserver = new ESP8266WebServer((HTTP_MANAGER == type || HTTP_MANAGER_RESET_ONLY == type) ? 80 : WEB_PORT); + + Webserver->collectHeaders(headerKeys, numberOfHeaders); + // call `Webserver->on()` on each entry for (uint32_t i=0; irequestAuthentication(); return false; } - return true; + + if(!Settings->flag5.disable_referer_chk) { + String referer = Webserver->header("Referer"); // http://demo/? or http://192.168.2.153/? + referer.toUpperCase(); + String hostname = NetworkHostname(); + hostname.toUpperCase(); + if ((referer.indexOf(hostname) > 0) || (referer.indexOf(NetworkAddress().toString()) > 0)) { + return true; + } + return false; + } else { + return true; + } } #ifdef USE_CORS