Page 1 of 1

Anybody can access /stream

Posted: 16 Sep 2014, 21:48
by omnikron
(topic moved from wrong forum)

Hi,

Sorry if I'm not in the proper forum.

I believe there might be a security issue with acces to the /stream URI. On my setup (madsonic 5.0-3830) you can access it from anywhere without any authentication. Players like Jamstash uses /rest/stream.view, which looks correctly protected. The workaround I use for now is to comment out the servlet-mapping section for /stream in %madsonic-home%/jetty/3880/webapp/WEB-INF/web.xml, but that breaks the internal Web player because it does not seam to be using the REST API.

Can you confirm if whether or not there is a security issue here.

Many thanks.