Slic3r PE upload (and, optionally, print) functionality

crpalmer

I just installed Slic3r (Prusa Edition) and found that I could enter the IP address (hostname) of my duet controller and it didn't seem to require any login credentials to be able to upload and start a print job remotely. How does that work?

Thanks,
Chris

dc42

It's probably using the default password, and you haven't changed the password of your Duet. See https://duet3d.dozuki.com/Wiki/GCode#Section_M551_Set_Password.

crpalmer

Either I have something funny in how I setup my Duet or this sounds like there is a security problem.

I am running:

Firmware Version: 2.02(RTOS) (2018-12-24b1)
WiFi Server Version: 1.21
Web Interface Version: 1.22.6

and I just verified that I cannot log into the web interface using the password "reprap" but I can with the custom password I have set using M551 in my configuration. I just learned a little about the rr_* rest interface and I find that I can run:

curl http://tlm-duet/rr_status
curl http://tlm-duet/rr_filelist?dir=0:/gcodes
curl http://tlm-duet/rr_mkdir?dir=0:/gcodes/test

and most surprisingly:

curl 'http://tlm-duet/rr_gcode?"gcode=0:/gcodes/inner.gcode"'

(where tlm-duet is the hostname of my printer and inner.gcode exists).

and my printer starts printing. For fun I also tried adding in a bogus password:

curl 'http://tlm-duet/rr_gcode?"gcode=0:/gcodes/inner.gcode"&password=ajfdlkajfla'

and that also successfully started the print. I have verified the same behaviour on 2 different printers both running the same version (one on a Duet WiFi and the other on a Duet Maestro).

dc42

If you are already running DWC on the same PC, then that IP address will already be authenticated and any commands from that PC will be allowed.

crpalmer

Wow, that is pretty magical!

For this testing, I was logged into DWC in an X windows session (linux) and running these commands using a terminal that I connected to remotely, I just closed Chrome in the X windows session and it now correctly rejects these commands due to authentication failure.

I guess it is doing IP based authentication?

After logging back into the DWC on that machine, I created a new user and logged in remotely via ssh as the new user and that user could control the DWC via curl without requiring authentication.

Which does seem like a smaller security hole but not as bad as it seemed.

dc42

Yes, it does IP-based authentication. The HTTP request only tells us the sending IP address and port number, and the port number keeps changing.

JuJuDelta

Hi Guys,

I've been experiencing a spot of bother using Slic3r STD edition.
Is Slic3r Prussa Edition better than Slic3r for a Kossel XL+ ?

Thanks,