espressif
diff --git a/‎libraries/ESP32/examples/Camera/CameraWebServer/CameraWebServer.ino
Lines changed: 6 additions & 33 deletions b/‎libraries/ESP32/examples/Camera/CameraWebServer/CameraWebServer.ino
Lines changed: 6 additions & 33 deletions
diff --git a/‎libraries/ESP32/examples/Camera/CameraWebServer/app_httpd.cpp
Lines changed: 13 additions & 17 deletions b/‎libraries/ESP32/examples/Camera/CameraWebServer/app_httpd.cpp
Lines changed: 13 additions & 17 deletions
diff --git a/‎libraries/ESP32/examples/Camera/CameraWebServer/board_config.h
Lines changed: 34 additions & 0 deletions b/‎libraries/ESP32/examples/Camera/CameraWebServer/board_config.h
Lines changed: 34 additions & 0 deletions
diff --git a/‎libraries/HTTPUpdateServer/src/HTTPUpdateServer.h
Lines changed: 19 additions & 0 deletions b/‎libraries/HTTPUpdateServer/src/HTTPUpdateServer.h
Lines changed: 19 additions & 0 deletions
diff --git a/‎libraries/Update/examples/OTAWebUpdater/OTAWebUpdater.ino
Lines changed: 33 additions & 2 deletions b/‎libraries/Update/examples/OTAWebUpdater/OTAWebUpdater.ino
Lines changed: 33 additions & 2 deletions
@@ -1,37 +1,10 @@
 #include "esp_camera.h"
 #include <WiFi.h>
 
-//
-// WARNING!!! PSRAM IC required for UXGA resolution and high JPEG quality
-//            Ensure ESP32 Wrover Module or other board with PSRAM is selected
-//            Partial images will be transmitted if image exceeds buffer size
-//
-//            You must select partition scheme from the board menu that has at least 3MB APP space.
-//            Face Recognition is DISABLED for ESP32 and ESP32-S2, because it takes up from 15
-//            seconds to process single frame. Face Detection is ENABLED if PSRAM is enabled as well
-
-// ===================
-// Select camera model
-// ===================
-//#define CAMERA_MODEL_WROVER_KIT // Has PSRAM
-#define CAMERA_MODEL_ESP_EYE  // Has PSRAM
-//#define CAMERA_MODEL_ESP32S3_EYE // Has PSRAM
-//#define CAMERA_MODEL_M5STACK_PSRAM // Has PSRAM
-//#define CAMERA_MODEL_M5STACK_V2_PSRAM // M5Camera version B Has PSRAM
-//#define CAMERA_MODEL_M5STACK_WIDE // Has PSRAM
-//#define CAMERA_MODEL_M5STACK_ESP32CAM // No PSRAM
-//#define CAMERA_MODEL_M5STACK_UNITCAM // No PSRAM
-//#define CAMERA_MODEL_M5STACK_CAMS3_UNIT  // Has PSRAM
-//#define CAMERA_MODEL_AI_THINKER // Has PSRAM
-//#define CAMERA_MODEL_TTGO_T_JOURNAL // No PSRAM
-//#define CAMERA_MODEL_XIAO_ESP32S3 // Has PSRAM
-// ** Espressif Internal Boards **
-//#define CAMERA_MODEL_ESP32_CAM_BOARD
-//#define CAMERA_MODEL_ESP32S2_CAM_BOARD
-//#define CAMERA_MODEL_ESP32S3_CAM_LCD
-//#define CAMERA_MODEL_DFRobot_FireBeetle2_ESP32S3 // Has PSRAM
-//#define CAMERA_MODEL_DFRobot_Romeo_ESP32S3 // Has PSRAM
-#include "camera_pins.h"
+// ===========================
+// Select camera model in board_config.h
+// ===========================
+#include "board_config.h"
 
 // ===========================
 // Enter your WiFi credentials
@@ -40,7 +13,7 @@ const char *ssid = "**********";
 const char *password = "**********";
 
 void startCameraServer();
-void setupLedFlash(int pin);
+void setupLedFlash();
 
 void setup() {
   Serial.begin(115200);
@@ -130,7 +103,7 @@ void setup() {
 
 // Setup LED FLash if LED pin is defined in camera_pins.h
 #if defined(LED_GPIO_NUM)
-  setupLedFlash(LED_GPIO_NUM);
+  setupLedFlash();
 #endif
 
   WiFi.begin(ssid, password);
 
@@ -19,18 +19,14 @@
 #include "esp32-hal-ledc.h"
 #include "sdkconfig.h"
 #include "camera_index.h"
+#include "board_config.h"
 
 #if defined(ARDUINO_ARCH_ESP32) && defined(CONFIG_ARDUHAL_ESP_LOG)
 #include "esp32-hal-log.h"
 #endif
 
-// Enable LED FLASH setting
-#define CONFIG_LED_ILLUMINATOR_ENABLED 1
-
 // LED FLASH setup
-#if CONFIG_LED_ILLUMINATOR_ENABLED
-
-#define LED_LEDC_GPIO            22  //configure LED pin
+#if defined(LED_GPIO_NUM)
 #define CONFIG_LED_MAX_INTENSITY 255
 
 int led_duty = 0;
@@ -91,13 +87,13 @@ static int ra_filter_run(ra_filter_t *filter, int value) {
 }
 #endif
 
-#if CONFIG_LED_ILLUMINATOR_ENABLED
+#if defined(LED_GPIO_NUM)
 void enable_led(bool en) {  // Turn LED On or Off
   int duty = en ? led_duty : 0;
   if (en && isStreaming && (led_duty > CONFIG_LED_MAX_INTENSITY)) {
     duty = CONFIG_LED_MAX_INTENSITY;
   }
-  ledcWrite(LED_LEDC_GPIO, duty);
+  ledcWrite(LED_GPIO_NUM, duty);
   //ledc_set_duty(CONFIG_LED_LEDC_SPEED_MODE, CONFIG_LED_LEDC_CHANNEL, duty);
   //ledc_update_duty(CONFIG_LED_LEDC_SPEED_MODE, CONFIG_LED_LEDC_CHANNEL);
   log_i("Set LED intensity to %d", duty);
@@ -162,7 +158,7 @@ static esp_err_t capture_handler(httpd_req_t *req) {
   int64_t fr_start = esp_timer_get_time();
 #endif
 
-#if CONFIG_LED_ILLUMINATOR_ENABLED
+#if defined(LED_GPIO_NUM)
   enable_led(true);
   vTaskDelay(150 / portTICK_PERIOD_MS);  // The LED needs to be turned on ~150ms before the call to esp_camera_fb_get()
   fb = esp_camera_fb_get();              // or it won't be visible in the frame. A better way to do this is needed.
@@ -230,7 +226,7 @@ static esp_err_t stream_handler(httpd_req_t *req) {
   httpd_resp_set_hdr(req, "Access-Control-Allow-Origin", "*");
   httpd_resp_set_hdr(req, "X-Framerate", "60");
 
-#if CONFIG_LED_ILLUMINATOR_ENABLED
+#if defined(LED_GPIO_NUM)
   isStreaming = true;
   enable_led(true);
 #endif
@@ -293,7 +289,7 @@ static esp_err_t stream_handler(httpd_req_t *req) {
     );
   }
 
-#if CONFIG_LED_ILLUMINATOR_ENABLED
+#if defined(LED_GPIO_NUM)
   isStreaming = false;
   enable_led(false);
 #endif
@@ -393,7 +389,7 @@ static esp_err_t cmd_handler(httpd_req_t *req) {
   } else if (!strcmp(variable, "ae_level")) {
     res = s->set_ae_level(s, val);
   }
-#if CONFIG_LED_ILLUMINATOR_ENABLED
+#if defined(LED_GPIO_NUM)
   else if (!strcmp(variable, "led_intensity")) {
     led_duty = val;
     if (isStreaming) {
@@ -481,7 +477,7 @@ static esp_err_t status_handler(httpd_req_t *req) {
   p += sprintf(p, "\"vflip\":%u,", s->status.vflip);
   p += sprintf(p, "\"dcw\":%u,", s->status.dcw);
   p += sprintf(p, "\"colorbar\":%u", s->status.colorbar);
-#if CONFIG_LED_ILLUMINATOR_ENABLED
+#if defined(LED_GPIO_NUM)
   p += sprintf(p, ",\"led_intensity\":%u", led_duty);
 #else
   p += sprintf(p, ",\"led_intensity\":%d", -1);
@@ -843,10 +839,10 @@ void startCameraServer() {
   }
 }
 
-void setupLedFlash(int pin) {
-#if CONFIG_LED_ILLUMINATOR_ENABLED
-  ledcAttach(pin, 5000, 8);
+void setupLedFlash() {
+#if defined(LED_GPIO_NUM)
+  ledcAttach(LED_GPIO_NUM, 5000, 8);
 #else
-  log_i("LED flash is disabled -> CONFIG_LED_ILLUMINATOR_ENABLED = 0");
+  log_i("LED flash is disabled -> LED_GPIO_NUM undefined");
 #endif
 }
@@ -0,0 +1,34 @@
+#ifndef BOARD_CONFIG_H
+#define BOARD_CONFIG_H
+
+//
+// WARNING!!! PSRAM IC required for UXGA resolution and high JPEG quality
+//            Ensure ESP32 Wrover Module or other board with PSRAM is selected
+//            Partial images will be transmitted if image exceeds buffer size
+//
+//            You must select partition scheme from the board menu that has at least 3MB APP space.
+
+// ===================
+// Select camera model
+// ===================
+//#define CAMERA_MODEL_WROVER_KIT // Has PSRAM
+#define CAMERA_MODEL_ESP_EYE  // Has PSRAM
+//#define CAMERA_MODEL_ESP32S3_EYE // Has PSRAM
+//#define CAMERA_MODEL_M5STACK_PSRAM // Has PSRAM
+//#define CAMERA_MODEL_M5STACK_V2_PSRAM // M5Camera version B Has PSRAM
+//#define CAMERA_MODEL_M5STACK_WIDE // Has PSRAM
+//#define CAMERA_MODEL_M5STACK_ESP32CAM // No PSRAM
+//#define CAMERA_MODEL_M5STACK_UNITCAM // No PSRAM
+//#define CAMERA_MODEL_M5STACK_CAMS3_UNIT  // Has PSRAM
+//#define CAMERA_MODEL_AI_THINKER // Has PSRAM
+//#define CAMERA_MODEL_TTGO_T_JOURNAL // No PSRAM
+//#define CAMERA_MODEL_XIAO_ESP32S3 // Has PSRAM
+// ** Espressif Internal Boards **
+//#define CAMERA_MODEL_ESP32_CAM_BOARD
+//#define CAMERA_MODEL_ESP32S2_CAM_BOARD
+//#define CAMERA_MODEL_ESP32S3_CAM_LCD
+//#define CAMERA_MODEL_DFRobot_FireBeetle2_ESP32S3 // Has PSRAM
+//#define CAMERA_MODEL_DFRobot_Romeo_ESP32S3 // Has PSRAM
+#include "camera_pins.h"
+
+#endif  // BOARD_CONFIG_H
@@ -27,6 +27,7 @@ static const char serverIndex[] PROGMEM =
      </body>
      </html>)";
 static const char successResponse[] PROGMEM = "<META http-equiv=\"refresh\" content=\"15;URL=/\">Update Success! Rebooting...";
+static const char *csrfHeaders[2] = {"Origin", "Host"};
 
 class HTTPUpdateServer {
 public:
@@ -56,6 +57,9 @@ class HTTPUpdateServer {
     _username = username;
     _password = password;
 
+    // collect headers for CSRF verification
+    _server->collectHeaders(csrfHeaders, 2);
+
     // handler for the /update form page
     _server->on(path.c_str(), HTTP_GET, [&]() {
       if (_username != emptyString && _password != emptyString && !_server->authenticate(_username.c_str(), _password.c_str())) {
@@ -69,6 +73,10 @@ class HTTPUpdateServer {
       path.c_str(), HTTP_POST,
       [&]() {
         if (!_authenticated) {
+          if (_username == emptyString || _password == emptyString) {
+            _server->send(200, F("text/html"), String(F("Update error: Wrong origin received!")));
+            return;
+          }
           return _server->requestAuthentication();
         }
         if (Update.hasError()) {
@@ -100,6 +108,17 @@ class HTTPUpdateServer {
             return;
           }
 
+          String origin = _server->header(String(csrfHeaders[0]));
+          String host = _server->header(String(csrfHeaders[1]));
+          String expectedOrigin = String("http://") + host;
+          if (origin != expectedOrigin) {
+            if (_serial_output) {
+              Serial.printf("Wrong origin received! Expected: %s, Received: %s\n", expectedOrigin.c_str(), origin.c_str());
+            }
+            _authenticated = false;
+            return;
+          }
+
           if (_serial_output) {
             Serial.printf("Update: %s\n", upload.filename.c_str());
           }
 
@@ -8,10 +8,17 @@
 #define SSID_FORMAT "ESP32-%06lX"  // 12 chars total
 //#define PASSWORD "test123456"    // generate if remarked
 
+// Set the username and password for firmware upload
+const char *authUser = "........";
+const char *authPass = "........";
+
 WebServer server(80);
 Ticker tkSecond;
 uint8_t otaDone = 0;
 
+const char *csrfHeaders[2] = {"Origin", "Host"};
+static bool authenticated = false;
+
 const char *alphanum = "0123456789!@#$%^&*abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
 String generatePass(uint8_t str_len) {
   String buff;
@@ -38,13 +45,17 @@ void apMode() {
 }
 
 void handleUpdateEnd() {
+  if (!authenticated) {
+    return server.requestAuthentication();
+  }
   server.sendHeader("Connection", "close");
   if (Update.hasError()) {
     server.send(502, "text/plain", Update.errorString());
   } else {
     server.sendHeader("Refresh", "10");
     server.sendHeader("Location", "/");
     server.send(307);
+    delay(500);
     ESP.restart();
   }
 }
@@ -56,18 +67,34 @@ void handleUpdate() {
   }
   HTTPUpload &upload = server.upload();
   if (upload.status == UPLOAD_FILE_START) {
+    authenticated = server.authenticate(authUser, authPass);
+    if (!authenticated) {
+      Serial.println("Authentication fail!");
+      otaDone = 0;
+      return;
+    }
+    String origin = server.header(String(csrfHeaders[0]));
+    String host = server.header(String(csrfHeaders[1]));
+    String expectedOrigin = String("http://") + host;
+    if (origin != expectedOrigin) {
+      Serial.printf("Wrong origin received! Expected: %s, Received: %s\n", expectedOrigin.c_str(), origin.c_str());
+      authenticated = false;
+      otaDone = 0;
+      return;
+    }
+
     Serial.printf("Receiving Update: %s, Size: %d\n", upload.filename.c_str(), fsize);
     if (!Update.begin(fsize)) {
       otaDone = 0;
       Update.printError(Serial);
     }
-  } else if (upload.status == UPLOAD_FILE_WRITE) {
+  } else if (authenticated && upload.status == UPLOAD_FILE_WRITE) {
     if (Update.write(upload.buf, upload.currentSize) != upload.currentSize) {
       Update.printError(Serial);
     } else {
       otaDone = 100 * Update.progress() / Update.size();
     }
-  } else if (upload.status == UPLOAD_FILE_END) {
+  } else if (authenticated && upload.status == UPLOAD_FILE_END) {
     if (Update.end(true)) {
       Serial.printf("Update Success: %u bytes\nRebooting...\n", upload.totalSize);
     } else {
@@ -78,6 +105,7 @@ void handleUpdate() {
 }
 
 void webServerInit() {
+  server.collectHeaders(csrfHeaders, 2);
   server.on(
     "/update", HTTP_POST,
     []() {
@@ -92,6 +120,9 @@ void webServerInit() {
     server.send_P(200, "image/x-icon", favicon_ico_gz, favicon_ico_gz_len);
   });
   server.onNotFound([]() {
+    if (!server.authenticate(authUser, authPass)) {
+      return server.requestAuthentication();
+    }
     server.send(200, "text/html", indexHtml);
   });
   server.begin();