- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: Curl does not work any more since upgrade to 6.9.3 on RN316
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Curl does not work any more since upgrade to 6.9.3 on RN316
Hello,
I'm using following command to shutdown my RN316, but it is no more working since update to 6.9.3 :
curl -u admin:$1 -k "https://$2/dbbroker" -H "Content-Type: application/x-www-form-urlencoded;" -H "X-Requested-With: XMLHttpRequest" --data "<?xml version=\"1.0\" encoding=\"UTF-8\"?><xs:nml xmlns:xs=\"http://www.netgear.com/protocol/transaction/NMLSchema-0.9\" xmlns=\"urn:netgear:nas:readynasd\" src=\"dpv_1445852944000\" dst=\"nas\"><xs:transaction id=\"njl_id_2269\"><xs:custom id=\"njl_id_2268\" name=\"Halt\" resource-id=\"Shutdown\" resource-type=\"System\"><Shutdown halt=\"true\" fsck=\"false\"/></xs:custom></xs:transaction></xs:nml>"
could someone help please ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Curl does not work any more since upgrade to 6.9.3 on RN316
In OS6.9.3, access to /dbbroker is now forbidden (403 error). I have not investigated why, but it appears intentional.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Curl does not work any more since upgrade to 6.9.3 on RN316
Is there Any any solution to remote shutdown ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Curl does not work any more since upgrade to 6.9.3 on RN316
I think this is related to the CSRF security fix. I'll try to find out if there's a way that can do it on 6.9.3 and if not if something could be changed for a future firmware release.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Curl does not work any more since upgrade to 6.9.3 on RN316
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Curl does not work any more since upgrade to 6.9.3 on RN316
I Hvae the same problem
It´s possible to downgrate the firmware?
where can I download firware 6.9.0?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Curl does not work any more since upgrade to 6.9.3 on RN316
Ok, I have been able to do downgrate to 6.9.1 https://kb.netgear.com/000051531/ReadyNAS-OS-6-Software-Version-6-9-1
with no problem.
Now I can use Curl Again.
I hope it will be a way to automatically shutdown the Nass in future firmware
Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Curl does not work any more since upgrade to 6.9.3 on RN316
This changed behaviour is expected. Your app/script will need to be longer on 6.9.3.
When sending the NML command or upload files to NAS over LAN, the APP needs to send the csrfpId token and login credentials in the HTTP request header. To get the csrfpId token, the app needs to request this webpage http://nas_ip/admin/csrf.html with the admin login credentials.
And then parse the html file to get the csrfpId token.
The csrf.html includes a script element which has the csrfpId token.
For example,
<script type="text/javascript"> <!-- csrfInsert("csrfpId", "mKrWJJlKMv5iqXUcSK7dEruWxdSbSqNi713aOVNCpYkLIA1wWmCUhmoZeV8EJ-jfXb6X6K6rT9InWOSd_OPiWPeonCpp01LC"); //--> </script>
Then the app shall add a HTTP header "csrfpId" with the token. The csrfpId can also be added to URL query parameters or upload form. The token expiry occurs after 3600 seconds by default. When the token has expired, if the app sends a NML command to the NAS, the NAS returns status code 403. The app needs to get a new token with the above steps.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Curl does not work any more since upgrade to 6.9.3 on RN316
Does this mean that the сurl is no longer usable? Only scripts? What is the reason for this restriction? I use the curl in my home automation system to turn off the system or start the backup job
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Curl does not work any more since upgrade to 6.9.3 on RN316
@Yevgeniy wrote:
Does this mean that the сurl is no longer usable?
No. It means that you need to get the csrfpld token in the script, and then change your curl command line to include --header "X-CSRFToken: {token}".
@Yevgeniy wrote:
What is the reason for this restriction?
It improves security, by making it much more difficult for a "cross-site request forgery" attack to succeed.
Basically, the NAS web server is setting up a session token for each web connection. Curl needs to present that token in order for the apache server in the NAS to accept the commands. If it doesn't, the NAS assumes those commands are forged.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Curl does not work any more since upgrade to 6.9.3 on RN316
most of us dont know how to do the script for to shutdown the readynass; we have just copy and paste (changing the username and password) and thats all.
It will be great is someone are able to make a new script that works with 6.9.3 using the token and share with the comunity
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Curl does not work any more since upgrade to 6.9.3 on RN316
Just what I needed. I saw that the it needed the csrfpld token, but did not know how to get it. Thanks my code is now working again.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Curl does not work any more since upgrade to 6.9.3 on RN316
Like Shadowl0rd, I also don't know how to write this code and copy/pasted the code I've been using for years, which now doesn't work anymore. Could anyone with a new working script please share their script here? Preferably for a .bat file, like in the first post. Much appreciated.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Curl does not work any more since upgrade to 6.9.3 on RN316
This sounds like a place where Netgear should consider writing a program, so that the password is not stored in the clear. Ideally, something that can be called from a backup job. Even better would be the ability to send a WoL packet as well.
Let's call the program ReadyCTL. Script does:
ReadyCTL wakeup NAS1
<insert backup software command here>
ReadyCTL shutdown NAS1
Before all this, the user configures the program through the GUI with the NAS1 IP address (and others if he has them), admin name, and password and the program stores the name and password encrypted.
Building this into the NAS backup system would also be great.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Curl does not work any more since upgrade to 6.9.3 on RN316
@Sandshark wrote:
This sounds like a place where Netgear should consider writing a program, so that the password is not stored in the clear. Ideally, something that can be called from a backup job. Even better would be the ability to send a WoL packet as well.
Let's call the program ReadyCTL. Script does:
ReadyCTL wakeup NAS1
<insert backup software command here>
ReadyCTL shutdown NAS1
Before all this, the user configures the program through the GUI with the NAS1 IP address (and others if he has them), admin name, and password and the program stores the name and password encrypted.
Building this into the NAS backup system would also be great.
Maybe post this on the idea exchange. FWIW, I'd like to see a general WoL app for OS6 NAS.