KLF 200 instability discussion
Closed this issue · 4 comments
Hi,
While using this library on Node.js it works fine (within the limits of the KLF 200 firmware). However, while running in a browser I got errors parsing the JSON result of the /auth call. Further investigation showed that the resulting JSON was indeed invalid. It turned out to be reproducible using curl:
$ curl -d '{"action":"login","params":{"password":"<passwd>"}}' -H "Content-Type: application/json" -X POST http://<ip>/api/v1/auth
Results in:
)]}', {"token":"<base64 string>","result":true,"deviceStatus":"IDLE","data":{},"errors":[]}
Note the preamble before the actual JSON. Have you seen similar behaviour?
Thanks,
Adriaan
I experienced the same problem with my KLF 200. Thats why i sanitize every json response in my Python wrapper[0].
I do not even want to know what is broken inside. It looks like broken internal buffer handling - which is in many cases exploitable. KLF has pretty poor security propositions if you look here [1]. I contacted Velux and they did not even understand the problem. m-(
[0] https://github.com/Julius2342/pyvlx/blob/master/pyvlx/interface.py#L126
[1] https://gist.github.com/Julius2342/6282ded9f527e762ea50f42c2c439a1a
Thanks for the feedback. I found the workaround in this code as well:
https://github.com/MiSchroe/klf-200-api/blob/master/src/connection.js#L126
The problem running in a browser seems to be caused by res.setEncoding not being available.