On Tue Oct 16, 2007 at 15:53:07 -0500, Samuel Baldwin wrote: > I'm running 2.9final, and haven't had a single auth problem with > playlists not working without auth or anything like that.
This is the thing, your playlists do not require authentication. If somebody were to guess the name of a file on your server they could fetch it. This is designed behaviour. > Wouldn't it just be better to fix these holes and continue giving the > option of public or private? In an ideal world yes, in the real world I don't really have much time to spare on this old code and I didn't want to ever make a new release of this branch. I'm being forced to now and the most pragmatic thing I can do is remove the support as failed. > Also, doesn't this now bring up a possible legal issue? One could > argue we are distributing our mp3s to all, not just a select few with > password access. I certainly don't want just anyone who knows the > proper port number to get into my gnump3d server.. > Because of this, I will never be updating beyond 2.9final, and I'm > pretty sure I'm not the only one.. Those two statements together make no sense. Right now somebody can use the malformed-request trick, which hasn't been fixed, to discover the names of your directories... Then, because playlists require no authentication, download as much as they like. Sure it requires a manual step but it means you're distributing things without authentication anyway. I believe, and have always believed, that running the software publicly is asking for trouble. The password file(s) were meant to mitigate that, and unfortunately they haven't achieved what they were supposed to. As you say the real solution would be to fix that, but given my time is very minimal I'm not going to do so. If you wish to patch the code and post those patches here then I'm sure I can bundle them up, but otherwise I believe I'd be doing users a favour by removing the illusion that password protection works. Still if you don't wish to upgrade that's fine. I don't want to (and can't!) force you. Feel free to look at the diffs and encorporate fixes for the other issues from them if you wish - I think the $FILENAME fix is probably applicable to anybody who has files with bogus tagging information... Steve -- _______________________________________________ Gnump3d-users mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnump3d-users
