mp3 password

This topic contains 4 replies, has 3 voices, and was last updated by  mas 7 years, 1 month ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #3002

    kampfgnu
    Participant

    hi all,

    i am implementing an iphone client and it already works pretty nice.
    i have a mt-daapd server running at home, currently about 16200 songs served.
    but i can easily stream songs without using a password.
    e.g. everybody could just call the url:
    http://myserver.com:3689/databases/1/items/15.mp3
    and it would stream the song (if the item 15 exists and is a mp3 of course).
    is this a bug or did i just setup my mt-daapd wrong?
    the funny thing is, if i use songbirds daap pluging, it asks me about the mp3 password.
    so is this pwd just a clients application thing.
    and if you write your own client, you could just omit it?

    greets, kampfgnu

    #18868

    kampfgnu
    Participant

    what i am trying to say is…
    i just want to password protect my files from being downloaded.
    anybody could just make a script to get many files.
    like “download http://myserver.com/databases/1/items/%5B1.mp3, 2.mp3, … 15320.mp3]”.
    any idea how to prevent this situation?

    greets from super paranoid :mrgreen:

    #18869

    stretch
    Member
    #18870

    kampfgnu
    Participant

    ahhhh thanks.

    one other thing:
    http://myserver.com:3689/databases/1/items?output=xml&query='daap.songartist:Lagwagon
    gives me a valid xml file with all items found.
    i don’t user authorization here, so this seems to be a security issue, right?

    #18871

    mas
    Member

    Yes it is a security issue (IMHO), which is why I fixed it with a quick and dirty patch.

    one other thing:
    http://myserver.com:3689/databases/1/it … :Lagwagon’
    gives me a valid xml file with all items found.

    It requires a login after my patch. Just tried it. So what you found is the same issue really. The patch fixes it as well.
    Oh, and you need to set a user password. Otherwise you simply opt to give that info out unprotected. But I guess you did that as otherwise also the download is the same. No password=global sharing.
    The bug here was that it was also sharing globally with a password without that patch.

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.
Register here