- This topic has 4 replies, 3 voices, and was last updated 14 years, 9 months ago by
.
-
Posts
-
hi all,
i am implementing an iphone client and it already works pretty nice.
i have a mt-daapd server running at home, currently about 16200 songs served.
but i can easily stream songs without using a password.
e.g. everybody could just call the url:
http://myserver.com:3689/databases/1/items/15.mp3
and it would stream the song (if the item 15 exists and is a mp3 of course).
is this a bug or did i just setup my mt-daapd wrong?
the funny thing is, if i use songbirds daap pluging, it asks me about the mp3 password.
so is this pwd just a clients application thing.
and if you write your own client, you could just omit it?greets, kampfgnu
what i am trying to say is…
i just want to password protect my files from being downloaded.
anybody could just make a script to get many files.
like “download http://myserver.com/databases/1/items/%5B1.mp3, 2.mp3, … 15320.mp3]”.
any idea how to prevent this situation?greets from super paranoid
ahhhh thanks.
one other thing:
http://myserver.com:3689/databases/1/items?output=xml&query=’daap.songartist:Lagwagon’
gives me a valid xml file with all items found.
i don’t user authorization here, so this seems to be a security issue, right?Yes it is a security issue (IMHO), which is why I fixed it with a quick and dirty patch.
one other thing:
http://myserver.com:3689/databases/1/it … :Lagwagon’
gives me a valid xml file with all items found.It requires a login after my patch. Just tried it. So what you found is the same issue really. The patch fixes it as well.
Oh, and you need to set a user password. Otherwise you simply opt to give that info out unprotected. But I guess you did that as otherwise also the download is the same. No password=global sharing.
The bug here was that it was also sharing globally with a password without that patch.
- The forum ‘General Discussion’ is closed to new topics and replies.