Screenshot of the GitHub Marketplace action listing, describing the extension

Giving Your KiCad PCB Repository Pretty Pictures

Publishing your boards on GitHub or GitLab is a must, and leads to wonderful outcomes in the hacker world. On their own, however, your board files might have the repo look a bit barren; having a picture or two in the README is the best. Making them yourself takes time – what if you could have it happen automatically? Enter kicad-render, a GitHub and GitLab integration for rendering your KiCad projects by [linalinn].

This integration makes your board pictures, top and bottom view, generated on every push into the repo – just embed two image links into your README.md. This integration is made possible thanks to the new option in KiCad 8’s kicad-cli – board image generation, and [linalinn]’s code makes KiCad run on GitHub/GitLab servers.

For even more bling, you can enable an option to generate a GIF that rotates your board, in the style of that one [arturo182] demo – in fact, this integration’s GIF code was borrowed from that script! Got a repository with many boards in one? There’s an option you could make work for yourself, too.

All you need to do is to follow a couple of simple steps; [linalinn] has documented both the GitHub and GitLab integration. We’ve recently talked about KiCad integrations in more detail, if you’re wondering what else your repository could be doing!

Push ESP32 Over The Air Updates From GitHub

Let’s say you’re working on an ESP32 project to send off to your grandma; something she can just plug in and it will start automatically monitoring her plant’s water levels. But you discover a critical flaw in the firmware and need to update it. Does she send it back? Do you walk her through dropping the update via the Arduino IDE OTA? The easiest way would be to plan and use something like esp_ghota, an OTA framework by [Justin Hammond].

OTA (Over-The-Air) updates are a fantastic feature of the ESP32, and we’ve covered libraries that make it easy. But compared to those earlier projects, esp_ghota takes a different approach. Rather than hosting a web server where someone can drop a binary, it looks at GitHub releases. [Justin] had to include a streaming JSON parser, as GitHub API responses tend to be beefy. The workflow is straightforward, push a new commit to your main branch on GitHub, and the action will trigger, building a few different versions. Your little plant watering reminder at your grandma’s will check every so often to see if a new version has been pushed and can update with rollback on littlefs, fatfs, and spiffs filesystems.

It’s an incredible project that we suspect will be very useful for many folks to update their projects. [Justin] even includes an example GitHub action and a sample ESP32 project.

This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger

Apache 2.4.50 included a fix for CVE-2021-41773. It has since been discovered that this fix was incomplete, and this version is vulnerable to a permutation of the same vulnerability. 2.4.51 is now available, and should properly fix the vulnerability.

The original exploit used .%2e/ as the magic payload, which is using URL encoding to sneak the extra dot symbol through as part of the path. The new workaround uses .%%32%65/. This looks a bit weird, but makes sense when you decode it. URL encoding uses UTF-8, and so %32 decodes to 2, and %65 to e. Familiar? Yep, it’s just the original vulnerability with a second layer of URL encoding. This has the same requirements as the first iteration, cgi-bin has to be enabled for code execution, and require all denied has to be disabled in the configuration files. Continue reading “This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger”