mp3 password

  • This topic has 4 replies, 3 voices, and was last updated 11 years ago by mas.
Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
  • #3002

    hi all,

    i am implementing an iphone client and it already works pretty nice.
    i have a mt-daapd server running at home, currently about 16200 songs served.
    but i can easily stream songs without using a password.
    e.g. everybody could just call the url:
    and it would stream the song (if the item 15 exists and is a mp3 of course).
    is this a bug or did i just setup my mt-daapd wrong?
    the funny thing is, if i use songbirds daap pluging, it asks me about the mp3 password.
    so is this pwd just a clients application thing.
    and if you write your own client, you could just omit it?

    greets, kampfgnu


    what i am trying to say is…
    i just want to password protect my files from being downloaded.
    anybody could just make a script to get many files.
    like “download, 2.mp3, … 15320.mp3]”.
    any idea how to prevent this situation?

    greets from super paranoid :mrgreen:


    ahhhh thanks.

    one other thing:’daap.songartist:Lagwagon’
    gives me a valid xml file with all items found.
    i don’t user authorization here, so this seems to be a security issue, right?


    Yes it is a security issue (IMHO), which is why I fixed it with a quick and dirty patch.

    one other thing: … :Lagwagon’
    gives me a valid xml file with all items found.

    It requires a login after my patch. Just tried it. So what you found is the same issue really. The patch fixes it as well.
    Oh, and you need to set a user password. Otherwise you simply opt to give that info out unprotected. But I guess you did that as otherwise also the download is the same. No password=global sharing.
    The bug here was that it was also sharing globally with a password without that patch.

Viewing 5 posts - 1 through 5 (of 5 total)
  • The forum ‘General Discussion’ is closed to new topics and replies.