search

esphome / issues

Issue Tracker for ESPHome
https://esphome.io/
290 stars 35 forks source link

Online Image URL Action is Unsafe #6309

Closed geiseri closed 1 day ago

geiseri commented 2 days ago

The problem

The automation for online_image.h uses a templatable argument value of a char *. If this is populated via a non-static std::string the pointer may be garbage by the time it is converted back into a std::string

In my case it's getting the picture entity that is ~180 chars. I see this in the log: 

[19:38:06][W][http_request.arduino:110]: HTTP Request failed; URL: http://homeassxV\xad\xba\xfd?eO; Error: connection refused

It would be better to use a std::string the entire way through. Since this code is autogenerated it should be an invisible fix.

Which version of ESPHome has the issue?

2024.9.2

What type of installation are you using?

Home Assistant Add-on

Which version of Home Assistant has the issue?

all

What platform are you using?

ESP32

Board

ESP32-D0WDQ5 rev1 on a wt32-sc01

Component causing the issue

online iage

Example YAML snippet

api:
  actions:
    - action: update_albumart_image
      variables:
        url: string
      then:
        - online_image.set_url:
            id: current_album_art
            url: !lambda |-
              return str_sprintf("http://homeassistant.local:8123%s", url.c_str()).c_str();
        - component.update: current_album_art

Anything in the logs that might be useful for us?

No response

Additional information

I am using the new LVGL so that can suck up a bit of memory causing this to be aggravated vs when I am just downloading the image on a simple image.

geiseri commented 2 hours ago

Thanks!