Merge pull request from GHSA-48mj-p7x2-5jfm

esphome/components/web_server/__init__.py

@@ -34,8 +34,8 @@ CONFIG_SCHEMA = cv.Schema(
         cv.Optional(CONF_JS_INCLUDE): cv.file_,
         cv.Optional(CONF_AUTH): cv.Schema(
             {
-                cv.Required(CONF_USERNAME): cv.string_strict,
-                cv.Required(CONF_PASSWORD): cv.string_strict,
+                cv.Required(CONF_USERNAME): cv.All(cv.string_strict, cv.Length(min=1)),
+                cv.Required(CONF_PASSWORD): cv.All(cv.string_strict, cv.Length(min=1)),
             }
         ),
         cv.GenerateID(CONF_WEB_SERVER_BASE_ID): cv.use_id(
@@ -57,8 +57,8 @@ async def to_code(config):
     cg.add(var.set_css_url(config[CONF_CSS_URL]))
     cg.add(var.set_js_url(config[CONF_JS_URL]))
     if CONF_AUTH in config:
-        cg.add(var.set_username(config[CONF_AUTH][CONF_USERNAME]))
-        cg.add(var.set_password(config[CONF_AUTH][CONF_PASSWORD]))
+        cg.add(paren.set_auth_username(config[CONF_AUTH][CONF_USERNAME]))
+        cg.add(paren.set_auth_password(config[CONF_AUTH][CONF_PASSWORD]))
     if CONF_CSS_INCLUDE in config:
         cg.add_define("WEBSERVER_CSS_INCLUDE")
         path = CORE.relative_config_path(config[CONF_CSS_INCLUDE])

esphome/components/web_server/web_server.cpp

@@ -1,8 +1,8 @@
 #include "web_server.h"
-#include "esphome/core/log.h"
-#include "esphome/core/application.h"
-#include "esphome/core/util.h"
 #include "esphome/components/json/json_util.h"
+#include "esphome/core/application.h"
+#include "esphome/core/log.h"
+#include "esphome/core/util.h"
 
 #include "StreamString.h"
 
@@ -151,9 +151,6 @@ void WebServer::setup() {
 void WebServer::dump_config() {
   ESP_LOGCONFIG(TAG, "Web Server:");
   ESP_LOGCONFIG(TAG, "  Address: %s:%u", network_get_address().c_str(), this->base_->get_port());
-  if (this->using_auth()) {
-    ESP_LOGCONFIG(TAG, "  Basic authentication enabled");
-  }
 }
 float WebServer::get_setup_priority() const { return setup_priority::WIFI - 1.0f; }
 
@@ -728,10 +725,6 @@ bool WebServer::canHandle(AsyncWebServerRequest *request) {
   return false;
 }
 void WebServer::handleRequest(AsyncWebServerRequest *request) {
-  if (this->using_auth() && !request->authenticate(this->username_, this->password_)) {
-    return request->requestAuthentication();
-  }
-
   if (request->url() == "/") {
     this->handle_index_request(request);
     return;

esphome/components/web_server/web_server.h

@@ -30,10 +30,6 @@ class WebServer : public Controller, public Component, public AsyncWebHandler {
  public:
   WebServer(web_server_base::WebServerBase *base) : base_(base) {}
 
-  void set_username(const char *username) { username_ = username; }
-
-  void set_password(const char *password) { password_ = password; }
-
   /** Set the URL to the CSS <link> that's sent to each client. Defaults to
    * https://esphome.io/_static/webserver-v1.min.css
    *
@@ -83,8 +79,6 @@ class WebServer : public Controller, public Component, public AsyncWebHandler {
   void handle_js_request(AsyncWebServerRequest *request);
 #endif
 
-  bool using_auth() { return username_ != nullptr && password_ != nullptr; }
-
 #ifdef USE_SENSOR
   void on_sensor_update(sensor::Sensor *obj, float state) override;
   /// Handle a sensor request under '/sensor/<id>'.
@@ -182,8 +176,6 @@ class WebServer : public Controller, public Component, public AsyncWebHandler {
  protected:
   web_server_base::WebServerBase *base_;
   AsyncEventSource events_{"/events"};
-  const char *username_{nullptr};
-  const char *password_{nullptr};
   const char *css_url_{nullptr};
   const char *css_include_{nullptr};
   const char *js_url_{nullptr};