OpenSprinkler › Forums › OpenSprinkler Unified Firmware › Bug: HTTP station/OS 2.3/2.1.7: URL length limitation causes erratic behavior › Reply To: Bug: HTTP station/OS 2.3/2.1.7: URL length limitation causes erratic behavior
Thanks for the feedback on the HTTP Station code. I have to put my hand up here as the guy responsible. I submitted a PR to Ray and Sammer last year for this as a simple extension of the Remote Station code. I recognised the space limitation of circa 250 characters across all parameters. This is a design template constraint where parameters for Special Stations get processed within the OpenSprinkler working buffer (~250 bytes). Using the existing design pattern meant for a simple implementation but with a knock-on constrain. This is ok in many cases but falls down when you need to authenticate as username/passwords push out the character count!
Nowadays, many browsers/services are moving away from encoding username/password in the URI and are using html headers to carry the authentication. So I saw this as more of a need to add authentication headers in the future rather than needing to extend the command length (good bit of post-rationalisation 8).
The defects on the other hand aren’t great. Thanks to your investigations, I have replicated the issues above and have seen that the length checking I do is too late in the process i.e. I check lengths in the Firmware after decoding the html message from the App. This is too late to catch the buffer overrun and inform the user. I have a fix that I’ll package up and submit.
In terms of immediate options, I have seen that Domoticz allows you to remove authentication if that is acceptable. No good if you are allowing remote access but might be OK if everything is behind your router firewall? Alternatively, I see Domoticz also allows you to whitelist a network (i.e. waive the authentication if sourced from a known secure network). On their Setup/Settings page you have “Local Networks (no username/password)” field into which you could add 192.168.0.*, or equivalent, to waiver authentication for the local network. Not sure if that helps but I’ve just tried it out and it seems to work.
As I say happy to take feedback on importance of this feature and whether authentication/command length is something in demand. To be honest, I didn’t think many others where using this mode and glad to see that there is some interest in it. Let me know your thoughts and I’ll try to improve the implementation.