Page 5 of 5

Re: Yatse support

Posted: 11 Apr 2018, 14:17
by davilla
The entire zebra list concept is to close a very bad security hole that is completely transparent to users. In Kodi, knowing the IP of the box, an untrusted person can get Kodi to send back user/pass details which can expose other boxes for exploitation.

This is bad, very bad. Unfortunately, user/pass is not limited to passwords.xml. Access to a user's server content from an outside source is still problematic as user/pass details would have to be included.

So, I'm trying to understand the exact details needed. You say you need access to sources.xml. Without user/pass details, that access is useless. So you would really needs access to sources.xml AND passwords.xml.

Perhaps an intermediate solution. Something that asks for permission, presents the user with the request for access question and then the decision moves to their accepting and granting access to said device. We gen a token and this token would be required to bypass the bits in zebra list that target specific xml files. This would require some core infrastructure to support and is something that I'm willing to do.

Re: Yatse support

Posted: 11 Apr 2018, 14:46
by Tolriq
I do not need access to sources.xml.

I need access to the content at the sources location.

A source is defined as :

<source>
<name>Films</name>
<path pathversion="1">F:\FakeLibrary\Films\</path>
<allowsharing>true</allowsharing>
</source>
The allowSharing is true so I can access the content of that folder from http via VFS.

http://ip:port/vfs/F%3A%5CFakeLibrary%5CFilms%5Ctoto.mkv should work.

If allowSharing is set to false then it's forbidden.

My understanding of Zebra is that since that folder is not a folder inside the application it's not allowed to be accessed and is more restrictive than the solution I put in place in Kodi.

Maybe I miss read the code but from all our discussions it seems that this is what you wanted to achieve.

My addition to Kodi was to allow access to those folders via webserver via something that is configurable. The point was to expose that setting at UI level but situation with Kodi started once again to be more complicated at that time thanks to MK.

As said in all our discussions I 100% agree about Kodi flaws and needs to fix :) And did try to fix a few.

Just need to be sure about how to handle the access to the content of allowed sources so that users can stream their Kodi content to other players like Chromecast or local device.

Current situation in 3.6.0 on Shield is that it works I can access the file via VFS if the source have allowSharing.

Either it's unwanted and it's a bug or it's wanted and I misunderstood the Zebra filter is the question :)

Re: Yatse support

Posted: 11 Apr 2018, 14:49
by davilla
I will review :)

Re: Yatse support

Posted: 12 Apr 2018, 00:41
by davilla
ok, the real problem is that realpath return null for vfs spec'ed paths, as they are by definition virtual paths :)

This should resolve the issue.

Code: Select all

diff --git a/xbmc/utils/FileUtils.cpp b/xbmc/utils/FileUtils.cpp
index f3577a2ad1..a2e0f79629 100644
--- a/xbmc/utils/FileUtils.cpp
+++ b/xbmc/utils/FileUtils.cpp
@@ -286,6 +286,12 @@ bool CFileUtils::ZebraListAccessCheck(const std::string &filePath)
       return false;
     }
   }
+  else if (CFileUtils::RemoteAccessAllowed(filePath))
+  {
+    // if realpath fails, then it is a vfs reference
+    // so let CFileUtils::RemoteAccessAllowed handle it.
+    return true;
+  }
 
   return true;
 }

Re: Yatse support

Posted: 12 Apr 2018, 07:46
by Tolriq
I was not able to compile so can't test but yes code seems OK for that purpose.

Just need to be sure that local device files are still falling in the second part and not the first.

A source on the shield could totally be a mounted smb drive. Or even local drive for the 500GB one.


EDIT: Of course the last return true should now be return false to have any security improvements :)

Re: Yatse support

Posted: 13 Apr 2018, 14:55
by Tolriq
Yatse 8.3.0 is now out with support for MrMC.

If you expand JSON to add some features of v17 please add a note in future changelog or ping me here :)

Re: Yatse support

Posted: 13 Apr 2018, 15:09
by davilla
Tolriq wrote:
13 Apr 2018, 14:55
Yatse 8.3.0 is now out with support for MrMC.

If you expand JSON to add some features of v17 please add a note in future changelog or ping me here :)
will do, and fyi 3.6.1 will have the relaxed zebra list.

Re: Yatse support

Posted: 13 Apr 2018, 15:23
by Tolriq
Testflights are only iOS or do you push to Play Store beta channels too?

And thanks for the change.

Re: Yatse support

Posted: 13 Apr 2018, 15:38
by davilla
Tolriq wrote:
13 Apr 2018, 15:23
Testflights are only iOS or do you push to Play Store beta channels too?

And thanks for the change.
We push beta's to play, koying handles that now.