fix(csrf): Fix SCRF vulnerability in WebUpdate.ino

me-no-dev · me-no-dev · commit 450c64014892 · 2025-06-30T14:25:41.000+03:00
diff --git a/libraries/WebServer/examples/WebUpdate/WebUpdate.ino b/libraries/WebServer/examples/WebUpdate/WebUpdate.ino
@@ -11,11 +11,16 @@
 const char *host = "esp32-webupdate";
 const char *ssid = "........";
 const char *password = "........";
+const char * authUser = "admin";
+const char * authPass = "admin";
 
 WebServer server(80);
 const char *serverIndex =
   "<form method='POST' action='/update' enctype='multipart/form-data'><input type='file' name='update'><input type='submit' value='Update'></form>";
 
+const char * csrfHeaders[2] = {"Origin", "Host"};
+static bool authenticated = false;
+
 void setup(void) {
   Serial.begin(115200);
   Serial.println();
@@ -24,37 +29,62 @@ void setup(void) {
   WiFi.begin(ssid, password);
   if (WiFi.waitForConnectResult() == WL_CONNECTED) {
     MDNS.begin(host);
+    server.collectHeaders(csrfHeaders, 2);
     server.on("/", HTTP_GET, []() {
+      if (!server.authenticate(authUser, authPass)) {
+        return server.requestAuthentication();
+      }
       server.sendHeader("Connection", "close");
       server.send(200, "text/html", serverIndex);
     });
     server.on(
       "/update", HTTP_POST,
       []() {
+        if (!authenticated) {
+          return server.requestAuthentication();
+        }
         server.sendHeader("Connection", "close");
-        server.send(200, "text/plain", (Update.hasError()) ? "FAIL" : "OK");
-        ESP.restart();
+        if (Update.hasError()) {
+          server.send(200, "text/plain", "FAIL");
+        } else {
+          server.send(200, "text/plain", "Success! Rebooting...");
+          delay(500);
+          ESP.restart();
+        }
       },
       []() {
         HTTPUpload &upload = server.upload();
         if (upload.status == UPLOAD_FILE_START) {
           Serial.setDebugOutput(true);
+          authenticated = server.authenticate(authUser, authPass);
+          if (!authenticated) {
+            Serial.println("Authentication fail!");
+            return;
+          }
+          String origin = server.header(String(csrfHeaders[0]));
+          String host = server.header(String(csrfHeaders[1]));
+          String expectedOrigin = String("http://") + host;
+          if (origin != expectedOrigin) {
+            Serial.printf("Wrong origin received! Expected: %s, Received: %s\n", expectedOrigin.c_str(), origin.c_str());
+            authenticated = false;
+          }
+          
           Serial.printf("Update: %s\n", upload.filename.c_str());
           if (!Update.begin()) {  //start with max available size
             Update.printError(Serial);
           }
-        } else if (upload.status == UPLOAD_FILE_WRITE) {
+        } else if (authenticated && upload.status == UPLOAD_FILE_WRITE) {
           if (Update.write(upload.buf, upload.currentSize) != upload.currentSize) {
             Update.printError(Serial);
           }
-        } else if (upload.status == UPLOAD_FILE_END) {
+        } else if (authenticated && upload.status == UPLOAD_FILE_END) {
           if (Update.end(true)) {  //true to set the size to the current progress
             Serial.printf("Update Success: %u\nRebooting...\n", upload.totalSize);
           } else {
             Update.printError(Serial);
           }
           Serial.setDebugOutput(false);
-        } else {
+        } else if(authenticated) {
           Serial.printf("Update Failed Unexpectedly (likely broken connection): status=%d\n", upload.status);
         }
       }
