Bug report unauthorised playback.

[gskmr2 1]

Simple bug to find:

 

Log in as a normal user and play back a movie

Log out and back in as a restricted user (i.e. one that doesn't have permission to the movie you just played)

Go to the browser history, click the old link and you can play it fine as a user without permission.

 

e.g., We watch a movie, say, Hellraiser on the home PC. My 12 year old uses it the next day and can go to the history of Chrome and play back the movie no problem. You can also go to the main media folder it lies in and choose any horror film you like.

[Abobader 2952]

Hello gskmr2,

** This is an auto reply **

Please wait for someone from staff support or our members to reply to you.

It's recommended to provide more info, as it explain in this thread:

Thank you.

Emby Team

[GrimReaper 3320]

Which server version, which browser? Can't reproduce on Edge, Chrome or Firefox.

[gskmr2 1]

Sorry, forgot to say.

Its all Windows - WIndows Emby V4.7.13.0 running on Windows 10 using Brave browser.

[gskmr2 1]

I have an idea its because Brave stores the full URL to the file

index.html#!/item?id=207950&serverId=8206516685aa4d269e46a2653f72d17b

 

If you manage to get that, copy and paste (same as clicking on a URL from the browser history) and it lets you play it back.

 

 

Edited August 12, 2023 by gskmr2

[rbjtech 4301]

Yep - nothing new here - if you have the stream url and details - you can playback on a browser or vlc (network stream) etc.

Unfortunately emby does not enforce authorisation per connection - I believe this is changing soon - but for the moment, agree 100% this is a bypass.

You may be able to reduce the impact if you use Incognito mode, or choose to clear the link history on exit.  You may be able to do it just for the emby URL.

Edited August 12, 2023 by rbjtech

[gskmr2 1]

Thanks for the info, wasn't sure if it was known or not.