C3MA/DD3-LoRa-Bridge-MultiSender
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden web UI auth, input handling, and SD path validation

Browse Source 
- Add optional Basic Auth with NVS-backed credentials and STA/AP flags; protect status, wifi, history, and download routes

- Stop pre-filling WiFi/MQTT/Web UI password fields; keep stored secrets on blank and add clear-password checkboxes

- Add HTML escaping + URL encoding helpers and apply to user-controlled strings; add unit test

- Harden /sd/download path validation (prefix, length, dotdot, slashes) and log rejections

- Enforce protocol version in LoRa receive and release GPIO14 before SD init

- Update README security, SD, and GPIO sharing notes
This commit is contained in:
acidburns
2026-02-02 21:07:37 +01:00
parent b5477262ea
commit 0e12b406de
10 changed files with 260 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
include/config.h
View File

@@ -87,6 +87,10 @@ constexpr uint16_t SD_HISTORY_MAX_BINS = 4000;
constexpr uint16_t SD_HISTORY_TIME_BUDGET_MS = 10;
constexpr const char *AP_SSID_PREFIX = "DD3-Bridge-";
constexpr const char *AP_PASSWORD = "changeme123";
constexpr bool WEB_AUTH_REQUIRE_STA = true;
constexpr bool WEB_AUTH_REQUIRE_AP = false;
constexpr const char *WEB_AUTH_DEFAULT_USER = "admin";
constexpr const char *WEB_AUTH_DEFAULT_PASS = "admin";
constexpr uint8_t NUM_SENDERS = 1;
inline constexpr uint16_t EXPECTED_SENDER_IDS[NUM_SENDERS] = {