enigma2 Webinterface API Documentation

  • I prefer curl which is also available in OE2.0


    Code
    root@dm7080:~# grep "anti_hijack\|extended_security" /etc/enigma2/settings
    config.plugins.Webinterface.anti_hijack=true
    config.plugins.Webinterface.extended_security=true
    root@dm7080:~# SESSIONID=$(curl -s -X POST "http://localhost/web/session"|grep e2sessionid|sed 's/e2sessionid\|<\|>\|\///g')
    root@dm7080:~# CURRENTRECORDINGS=$(curl -s -X POST "http://localhost/web/timerlist?&sessionid=$SESSIONID"|grep e2state|grep -c ">2<")
    root@dm7080:~# echo $CURRENTRECORDINGS
    0
    root@dm7080:~#

    Gruß Fred

    Die Dreambox ist tot, es lebe die Dreambox

  • adding "..&sessionid=$SESSIONID" works for `extended_security`,

    but not for `anti_hijack`


    i also tried add one global variable in Webinterface py

    activated `HostIsTrusted = True` in section [HTTPAuthResource].isAuthenticated

    and then tried to use it in section [HTTPRootResource].isSessionValid

    no joy :frowning_face:

    still searching some way to disable security only for local network

  • 1. Anti-Hijack = Off; Token = On -> OK

    2. Anti-Hijack = On; Token = On

    3. Anti-Hijack = On; Token = Off

    4. Anti-Hijack = Off; Token = Off -> OK



    /usr/script/ManualScanMenu.sh

  • hawking

    Thanks!

    this sounds stronger than "i prefer" :smiling_face:

    not tried curl yet cause it's not preinstalled

    and i wanted leave backward compatibility to older Dreamboxes for my scripts

  • I did the same for all of my scripts.

    curl is available on the feeds for oe2.0 up to or2.6 (mips, armhf, aarch64).

    to fully support „streaming authentication“, it was necessary to use 127.0.0.1 instead of localhost e.g. for webif messages.

  • I said "prefer" because I have been using curl since OE2.0 - I never tested enabled security and wget in my scripts.

    For newnigma2 OE2.0 curl is also available on there feeds and it was working.


    So I apologize for the misunderstanding. :winking_face:

    Gruß Fred

    Die Dreambox ist tot, es lebe die Dreambox

  • YES, YES, YES! `curl` helped for bash script


    /usr/script/ManualScanMenu.sh


    but i will leave Web-IF patch too,

    that restored ability zap services from DreamSet2.exe.

    at least when `Token` activated

  • Please remove that "Patch"!!


    You changed the logic so that irrelevant of any security settings, there will be no authentication and SessionKeys from local clients. This is not how it was designed and this also doesn't help against CSRF (https://en.wikipedia.org/wiki/Cross-site_request_forgery)!!


    Instead of elimintating the effect of any settings, one should simply change the settings as needed. Alternatively incompatible Apps just may be updated (as you wget scripts) :smiling_face:

    so long
    m0rphU

  • Exactly patching the webinterface is completely wrong, patching out anti-hijack for local clients makes the whole option useless as it was implemented to protect the box by attacks from inside your local area network!

    Use proper supporting tools like dreamboxEDIT (which is supporting these features from the very first beginning).


    Reichi Ghost Olove

    Bitte entfernt den Patch aus Post #42 #49 bevor noch jemand auf dumme Ideen kommt. Danke!

    Einmal editiert, zuletzt von dhwz ()

  • m0rphU

    patch doesn't ignore option `config.plugins.Webinterface.localauth`


    dhwz

    from your previous i already got, as you always know better how everything must work,

    DreamboxEDIT do not offer easy access to transponders list for particular position

  • dhwz; m0rphU

    You are funny boys :smiling_face:

    accessing box without password isn't high security risk,

    but bypass Hijack for local network is huge tragedy?!

    just enable `config.plugins.Webinterface.localauth` and patch is deactivated