search

Blueforcer / awtrix3

Custom firmware for the Ulanzi Smart Pixel clock or self made awtrix. Getting started is easy as 1-2-3
https://blueforcer.github.io/awtrix3/
Other
1.41k stars 112 forks source link

[BUG] Web Interface Does Not Work on a Different Port #501

Closed m33x closed 8 months ago

m33x commented 8 months ago

Bug report

Describe the bug

If AWTRIX Light is not served on port 80 (HTTP) or port 443 (HTTPS), the web interface does not work as certain resources like DoNotTouch.json cannot be reached.

Additional information

To Reproduce

Steps to reproduce the behavior:

  1. Serve AWTRIX Light on a different port than 80 ssh home -L 127.0.0.1:1338:192.168.2.3:80

  2. Visit the web interface of AWTRIX Light in your browser firefox http://localhost:1338

Expected behavior

The web interface loads as expected.

Screenshots

Selection_027

Logs

GET http://localhost/DoNotTouch.json net::ERR_CONNECTION_REFUSED
(index):140 Fetch failed loading: GET "http://localhost/DoNotTouch.json".

Additional context

Affected are:

var e = new URL(`${window.location.protocol}//${window.location.hostname}/scan`);
var e = new URL(`${window.location.protocol}//${window.location.hostname}/status`);
var e = new URL(`${window.location.protocol}//${window.location.hostname}/DoNotTouch.json`);
var e = new URL(`${window.location.protocol}//${window.location.hostname}/restart`);

Potential fix is using window.location.origin

> window.location
host: "localhost:1338"
hostname: "localhost"
href: "http://localhost:1338/"
origin: "http://localhost:1338"
pathname: "/"
port: "1338"
protocol: "http:"
> var e = new URL(`${window.location.origin}/DoNotTouch.json`);
> e.href
'http://localhost:1338/DoNotTouch.json'

Is the current code potentially exploitable and a XSS vulnerability? Unsure, but likely not.

Blueforcer commented 8 months ago

That's not a bug.

  1. There is no setting to change the port. There were never any plans to support this.
  2. Your linked code snippet was a PR long time ago to use Awtrix Webinterface with a Proxy, for example in HA.
m33x commented 8 months ago

So this is a won't fix, I assume? Would you merge it, if I create a PR?

Blueforcer commented 8 months ago

So this is a won't fix, I assume? Would you merge it, if I create a PR?

PR for what? Using window.location.origin again would undo the other PR wich helps a lot of people.

m33x commented 8 months ago

A PR with window.location.origin, this fixes my issues, and does not break anything for people using window.location.protocol and window.location.hostname. If at all, it makes their version even better and more complete.

m33x commented 8 months ago

I have tested the new version. This fixes the problem. Thanks!

Blueforcer commented 8 months ago

Thanks goes to you!