[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnump3d-users] New release ..

From: Steve Kemp
Subject: Re: [Gnump3d-users] New release ..
Date: Tue, 16 Oct 2007 22:06:26 +0100
User-agent: mutt-ng/devel-r804 (Debian)

On Tue Oct 16, 2007 at 15:53:07 -0500, Samuel Baldwin wrote:

> I'm running 2.9final, and haven't had a single auth problem with
> playlists not working without auth or anything like that.

  This is the thing, your playlists do not require authentication.
 If somebody were to guess the name of a file on your server
 they could fetch it.  This is designed behaviour.

> Wouldn't it just be better to fix these holes and continue giving the
> option of public or private?

  In an ideal world yes, in the real world I don't really have
 much time to spare on this old code and I didn't want to ever
 make a new release of this branch.  I'm being forced to now
 and the most pragmatic thing I can do is remove the support
 as failed.

> Also, doesn't this now bring up a possible legal issue? One could
> argue we are distributing our mp3s to all, not just a select few with
> password access. I certainly don't want just anyone who knows the
> proper port number to get into my gnump3d server..

> Because of this, I will never be updating beyond 2.9final, and I'm
> pretty sure I'm not the only one..

  Those two statements together make no sense.  Right now
 somebody can use the malformed-request trick, which hasn't been fixed,
 to discover the names of your directories...

  Then, because playlists require no authentication, download
 as much as they like.  Sure it requires a manual step but
 it means you're distributing things without authentication anyway.

  I believe, and have always believed, that running the software
 publicly is asking for trouble.  The password file(s) were meant
 to mitigate that, and unfortunately they haven't achieved what
 they were supposed to.

  As you say the real solution would be to fix that, but given my
 time is very minimal I'm not going to do so.  If you wish to
 patch the code and post those patches here then I'm sure I can
 bundle them up, but otherwise I believe I'd be doing users a
 favour by removing the illusion that password protection works.

  Still if you don't wish to upgrade that's fine.  I don't want
 to (and can't!) force you.  Feel free to look at the diffs
 and encorporate fixes for the other issues from them if you
 wish - I think the $FILENAME fix is probably applicable to
 anybody who has files with bogus tagging information...


reply via email to

[Prev in Thread] Current Thread [Next in Thread]