enigma2 Webinterface API Documentation

  • I prefer curl which is also available in OE2.0

    1. root@dm7080:~# grep "anti_hijack\|extended_security" /etc/enigma2/settings
    2. config.plugins.Webinterface.anti_hijack=true
    3. config.plugins.Webinterface.extended_security=true
    4. root@dm7080:~# SESSIONID=$(curl -s -X POST "http://localhost/web/session"|grep e2sessionid|sed 's/e2sessionid\|<\|>\|\///g')
    5. root@dm7080:~# CURRENTRECORDINGS=$(curl -s -X POST "http://localhost/web/timerlist?&sessionid=$SESSIONID"|grep e2state|grep -c ">2<")
    6. root@dm7080:~# echo $CURRENTRECORDINGS
    7. 0
    8. root@dm7080:~#
  • adding "..&sessionid=$SESSIONID" works for `extended_security`,

    but not for `anti_hijack`

    i also tried add one global variable in Webinterface py

    activated `HostIsTrusted = True` in section [HTTPAuthResource].isAuthenticated

    and then tried to use it in section [HTTPRootResource].isSessionValid

    no joy :(

    still searching some way to disable security only for local network

  • 1. Anti-Hijack = Off; Token = On -> OK

    2. Anti-Hijack = On; Token = On

    3. Anti-Hijack = On; Token = Off

    4. Anti-Hijack = Off; Token = Off -> OK


  • hawking


    this sounds stronger than "i prefer" :)

    not tried curl yet cause it's not preinstalled

    and i wanted leave backward compatibility to older Dreamboxes for my scripts

  • I did the same for all of my scripts.

    curl is available on the feeds for oe2.0 up to or2.6 (mips, armhf, aarch64).

    to fully support „streaming authentication“, it was necessary to use instead of localhost e.g. for webif messages.

  • YES, YES, YES! `curl` helped for bash script


    but i will leave Web-IF patch too,

    that restored ability zap services from DreamSet2.exe.

    at least when `Token` activated

  • Please remove that "Patch"!!

    You changed the logic so that irrelevant of any security settings, there will be no authentication and SessionKeys from local clients. This is not how it was designed and this also doesn't help against CSRF (https://en.wikipedia.org/wiki/Cross-site_request_forgery)!!

    Instead of elimintating the effect of any settings, one should simply change the settings as needed. Alternatively incompatible Apps just may be updated (as you wget scripts) :)

  • Exactly patching the webinterface is completely wrong, patching out anti-hijack for local clients makes the whole option useless as it was implemented to protect the box by attacks from inside your local area network!

    Use proper supporting tools like dreamboxEDIT (which is supporting these features from the very first beginning).

    Reichi Ghost Olove

    Bitte entfernt den Patch aus Post #42 #49 bevor noch jemand auf dumme Ideen kommt. Danke!

  • m0rphU

    patch doesn't ignore option `config.plugins.Webinterface.localauth`


    from your previous i already got, as you always know better how everything must work,

    DreamboxEDIT do not offer easy access to transponders list for particular position

  • dhwz ; m0rphU

    You are funny boys :)

    accessing box without password isn't high security risk,

    but bypass Hijack for local network is huge tragedy?!

    just enable `config.plugins.Webinterface.localauth` and patch is deactivated