4. Slic3r PE upload (and, optionally, print) functionality

Slic3r PE upload (and, optionally, print) functionality


  • I just installed Slic3r (Prusa Edition) and found that I could enter the IP address (hostname) of my duet controller and it didn't seem to require any login credentials to be able to upload and start a print job remotely. How does that work?

    Thanks,
    Chris

    0
  • administrators

    It's probably using the default password, and you haven't changed the password of your Duet. See https://duet3d.dozuki.com/Wiki/GCode#Section_M551_Set_Password.

    0

  • Either I have something funny in how I setup my Duet or this sounds like there is a security problem.

    I am running:

    Firmware Version: 2.02(RTOS) (2018-12-24b1)
    WiFi Server Version: 1.21
    Web Interface Version: 1.22.6

    and I just verified that I cannot log into the web interface using the password "reprap" but I can with the custom password I have set using M551 in my configuration. I just learned a little about the rr_* rest interface and I find that I can run:

    curl http://tlm-duet/rr_status
    curl http://tlm-duet/rr_filelist?dir=0:/gcodes
    curl http://tlm-duet/rr_mkdir?dir=0:/gcodes/test

    and most surprisingly:

    curl 'http://tlm-duet/rr_gcode?"gcode=0:/gcodes/inner.gcode"'

    (where tlm-duet is the hostname of my printer and inner.gcode exists).

    and my printer starts printing. For fun I also tried adding in a bogus password:

    curl 'http://tlm-duet/rr_gcode?"gcode=0:/gcodes/inner.gcode"&password=ajfdlkajfla'

    and that also successfully started the print. I have verified the same behaviour on 2 different printers both running the same version (one on a Duet WiFi and the other on a Duet Maestro).

    0
  • administrators

    If you are already running DWC on the same PC, then that IP address will already be authenticated and any commands from that PC will be allowed.

    0

  • Wow, that is pretty magical!

    For this testing, I was logged into DWC in an X windows session (linux) and running these commands using a terminal that I connected to remotely, I just closed Chrome in the X windows session and it now correctly rejects these commands due to authentication failure.

    I guess it is doing IP based authentication?

    After logging back into the DWC on that machine, I created a new user and logged in remotely via ssh as the new user and that user could control the DWC via curl without requiring authentication.

    Which does seem like a smaller security hole but not as bad as it seemed.

    0
  • administrators

    Yes, it does IP-based authentication. The HTTP request only tells us the sending IP address and port number, and the port number keeps changing.

    0

  • Hi Guys,

    I've been experiencing a spot of bother using Slic3r STD edition.
    Is Slic3r Prussa Edition better than Slic3r for a Kossel XL+ ?

    Thanks,

    0
Log in to reply
 
Unless otherwise noted, all forum content is licensed under CC-BY-SA