fix(csrf): Prevent CSRF on other OTA examples

espressif · me-no-dev · Jul 2, 2025 · Jun 30, 2025 · Jun 30, 2025 · Jun 30, 2025
commit a87ee5fd38b3348e785b2f03a37e6b1e2e6c7ba8
@@ -27,6 +27,7 @@ static const char serverIndex[] PROGMEM =
      </body>
      </html>)";
 static const char successResponse[] PROGMEM = "<META http-equiv=\"refresh\" content=\"15;URL=/\">Update Success! Rebooting...";
+static const char * csrfHeaders[2] = {"Origin", "Host"};
 
 class HTTPUpdateServer {
 public:
@@ -56,6 +57,9 @@ class HTTPUpdateServer {
     _username = username;
     _password = password;
 
+    // collect headers for CSRF verification
+    _server->collectHeaders(csrfHeaders, 2);
+
     // handler for the /update form page
     _server->on(path.c_str(), HTTP_GET, [&]() {
       if (_username != emptyString && _password != emptyString && !_server->authenticate(_username.c_str(), _password.c_str())) {
@@ -69,6 +73,10 @@ class HTTPUpdateServer {
       path.c_str(), HTTP_POST,
       [&]() {
         if (!_authenticated) {
+          if (_username == emptyString || _password == emptyString) {
+            _server->send(200, F("text/html"), String(F("Update error: Wrong origin received!")));
+            return;
+          }
           return _server->requestAuthentication();
         }
         if (Update.hasError()) {
@@ -100,6 +108,17 @@ class HTTPUpdateServer {
             return;
           }
 
+          String origin = _server->header(String(csrfHeaders[0]));
+          String host = _server->header(String(csrfHeaders[1]));
+          String expectedOrigin = String("http://") + host;
+          if (origin != expectedOrigin) {
+            if (_serial_output) {
+              Serial.printf("Wrong origin received! Expected: %s, Received: %s\n", expectedOrigin.c_str(), origin.c_str());
+            }
+            _authenticated = false;
+            return;
+          }
+
           if (_serial_output) {
             Serial.printf("Update: %s\n", upload.filename.c_str());
           }

@@ -7,11 +7,16 @@
 
 #define SSID_FORMAT "ESP32-%06lX"  // 12 chars total
 //#define PASSWORD "test123456"    // generate if remarked
+const char * authUser = "admin";
+const char * authPass = "admin";
 
 WebServer server(80);
 Ticker tkSecond;
 uint8_t otaDone = 0;
 
+const char * csrfHeaders[2] = {"Origin", "Host"};
+static bool authenticated = false;
+
 const char *alphanum = "0123456789!@#$%^&*abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
 String generatePass(uint8_t str_len) {
   String buff;
@@ -38,13 +43,17 @@ void apMode() {
 }
 
 void handleUpdateEnd() {
+  if (!authenticated) {
+    return server.requestAuthentication();
+  }
   server.sendHeader("Connection", "close");
   if (Update.hasError()) {
     server.send(502, "text/plain", Update.errorString());
   } else {
     server.sendHeader("Refresh", "10");
     server.sendHeader("Location", "/");
     server.send(307);
+    delay(500);
     ESP.restart();
   }
 }
@@ -56,18 +65,34 @@ void handleUpdate() {
   }
   HTTPUpload &upload = server.upload();
   if (upload.status == UPLOAD_FILE_START) {
+    authenticated = server.authenticate(authUser, authPass);
+    if (!authenticated) {
+      Serial.println("Authentication fail!");
+      otaDone = 0;
+      return;
+    }
+    String origin = server.header(String(csrfHeaders[0]));
+    String host = server.header(String(csrfHeaders[1]));
+    String expectedOrigin = String("http://") + host;
+    if (origin != expectedOrigin) {
+      Serial.printf("Wrong origin received! Expected: %s, Received: %s\n", expectedOrigin.c_str(), origin.c_str());
+      authenticated = false;
+      otaDone = 0;
+      return;
+    }
+
     Serial.printf("Receiving Update: %s, Size: %d\n", upload.filename.c_str(), fsize);
     if (!Update.begin(fsize)) {
       otaDone = 0;
       Update.printError(Serial);
     }
-  } else if (upload.status == UPLOAD_FILE_WRITE) {
+  } else if (authenticated && upload.status == UPLOAD_FILE_WRITE) {
     if (Update.write(upload.buf, upload.currentSize) != upload.currentSize) {
       Update.printError(Serial);
     } else {
       otaDone = 100 * Update.progress() / Update.size();
     }
-  } else if (upload.status == UPLOAD_FILE_END) {
+  } else if (authenticated && upload.status == UPLOAD_FILE_END) {
     if (Update.end(true)) {
       Serial.printf("Update Success: %u bytes\nRebooting...\n", upload.totalSize);
     } else {
@@ -78,6 +103,7 @@ void handleUpdate() {
 }
 
 void webServerInit() {
+  server.collectHeaders(csrfHeaders, 2);
   server.on(
     "/update", HTTP_POST,
     []() {
@@ -92,6 +118,9 @@ void webServerInit() {
     server.send_P(200, "image/x-icon", favicon_ico_gz, favicon_ico_gz_len);
   });
   server.onNotFound([]() {
+    if (!server.authenticate(authUser, authPass)) {
+      return server.requestAuthentication();
+    }
     server.send(200, "text/html", indexHtml);
   });
   server.begin();

@@ -67,6 +67,7 @@ void setup(void) {
           if (origin != expectedOrigin) {
             Serial.printf("Wrong origin received! Expected: %s, Received: %s\n", expectedOrigin.c_str(), origin.c_str());
             authenticated = false;
+            return;
           }
 
           Serial.printf("Update: %s\n", upload.filename.c_str());