The /qr endpoint is served without any authentication at all.
Furthermore, setup.sh default behavior is to allow DMs from anyone:
|
sed -i "s|TELEGRAM_ALLOWED_DMS=.*|TELEGRAM_ALLOWED_DMS=*|" .env |
You should either need some kind of credential to access the QR code page, or DMs should be restricted to a known allowlist. Accidentally making this internet-facing will make it trivially exploitable.
I understand that this is probably meant to be deployed on a kiosk or as part of a lab, but open-source projects like this with HTTP servers will almost always get put on the public internet by someone, somewhere.
Please help novice users avoid shooting themselves in the foot.
The /qr endpoint is served without any authentication at all.
Furthermore,
setup.shdefault behavior is to allow DMs from anyone:secure-openclaw/setup.sh
Line 29 in 70806a7
You should either need some kind of credential to access the QR code page, or DMs should be restricted to a known allowlist. Accidentally making this internet-facing will make it trivially exploitable.
I understand that this is probably meant to be deployed on a kiosk or as part of a lab, but open-source projects like this with HTTP servers will almost always get put on the public internet by someone, somewhere.
Please help novice users avoid shooting themselves in the foot.