[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnump3d-users] New release ..
From: |
Steve Kemp |
Subject: |
Re: [Gnump3d-users] New release .. |
Date: |
Tue, 16 Oct 2007 22:06:26 +0100 |
User-agent: |
mutt-ng/devel-r804 (Debian) |
On Tue Oct 16, 2007 at 15:53:07 -0500, Samuel Baldwin wrote:
> I'm running 2.9final, and haven't had a single auth problem with
> playlists not working without auth or anything like that.
This is the thing, your playlists do not require authentication.
If somebody were to guess the name of a file on your server
they could fetch it. This is designed behaviour.
> Wouldn't it just be better to fix these holes and continue giving the
> option of public or private?
In an ideal world yes, in the real world I don't really have
much time to spare on this old code and I didn't want to ever
make a new release of this branch. I'm being forced to now
and the most pragmatic thing I can do is remove the support
as failed.
> Also, doesn't this now bring up a possible legal issue? One could
> argue we are distributing our mp3s to all, not just a select few with
> password access. I certainly don't want just anyone who knows the
> proper port number to get into my gnump3d server..
> Because of this, I will never be updating beyond 2.9final, and I'm
> pretty sure I'm not the only one..
Those two statements together make no sense. Right now
somebody can use the malformed-request trick, which hasn't been fixed,
to discover the names of your directories...
Then, because playlists require no authentication, download
as much as they like. Sure it requires a manual step but
it means you're distributing things without authentication anyway.
I believe, and have always believed, that running the software
publicly is asking for trouble. The password file(s) were meant
to mitigate that, and unfortunately they haven't achieved what
they were supposed to.
As you say the real solution would be to fix that, but given my
time is very minimal I'm not going to do so. If you wish to
patch the code and post those patches here then I'm sure I can
bundle them up, but otherwise I believe I'd be doing users a
favour by removing the illusion that password protection works.
Still if you don't wish to upgrade that's fine. I don't want
to (and can't!) force you. Feel free to look at the diffs
and encorporate fixes for the other issues from them if you
wish - I think the $FILENAME fix is probably applicable to
anybody who has files with bogus tagging information...
Steve
--