Picture share button creates links accessible to everyone

[Ponyo 22]

Hi,

I'm not sure if this is a bug or expected behavior but if you use the share button in the Emby app to share a picture it creates a link that is accessible to everyone that has it, it does not require one to be logged into Emby.

 

If this is expected behavior, is there any way to force user logon? I do not want my pictures to be accessible to everyone that has a link.

[Luke 37090]

What app are you sharing with?

[Ponyo 22]

The url is generated by the Emby Android app. The url is the same regardless of the app I share with.

[Luke 37090]

What share target was chosen?

[Ponyo 22]

What share target was chosen?

You mean which app I selected on the selection menu you get on Android when pressing the share button? Whatsapp and copy to clipboard. Both generate the same url accessible for everyone that has it.

[darkassassin07 423]

Testing, I get the same results. The share button > copy to clipboard gave me a link that looked like this:

 

Http://<host>/emby/Items/<item_id>/Images/Primary?maxWidth=1080&tag=<tag_value>&quality=40

 

(host/tag/item_id masked ofc.)

 

I dropped that into an incognito tab and it immediately loaded the image without any auth.

I was on lan at the time hence http, but the wan host+https works as well.

Edited January 30, 2020 by darkassassin07

[ebr 14918]

I'm pretty sure this is by design.  You are trying to share a link in a public way...

[darkassassin07 423]

Compared to the share button for video files, it's unexpected IMO.

 

Video 'sharing' gives you the description of the shared vid + a link to the main landing page on your server where a person would have to login then find the actual media themselves.

 

Where as image sharing just gives a direct link to the image no auth required.

 

 

It's inconsistent. Are we allowed share the actual media itself via our emby servers or not?

Especially when the description of 'Allow media sharing' under a users access settings is: 'Only webpages containing media info are shared. Media files are never shared publicly. Shares are time-limited and will expire after 30 days.'

 

Dunno about the time-limit, but those links don't seem temporary either.

 

 

 

Personally I don't use embys media sharing options. I have it disabled for all users.

Instead I have an instance of nginx running on the same machine that hosts whatever I drop into a specific folder.

 

That way I can give people links that look like https://file.mydomain.com/file.extention to share them. Handy for embedded forum images, sharing files with friends, and even providing info for work like videos of a problem maintenance has to deal with.

 

 

 

I'm just curious as to the intended use and functionality of the share feature.

 

 

 

 

What I would want from the feature is a link to the media info page. Visiting that link with a browser that's already logged into the server via 'remember me' would take you directly to the media info. Visiting with a browser that isn't auto-logged in however would redirect to the user login page, then after a successful auth, redirect back to the shared medias info page.

 

Assuming we are maintaining the idea that emby can't be used to share the media itself publicly that is.

 

Otherwise, allow video to be shared just like images currently (a link to directly play, no auth). Time-limited temporary links would definitely be a good idea there.

Edited January 30, 2020 by darkassassin07

[Ponyo 22]

I'm pretty sure this is by design.  You are trying to share a link in a public way...

I can understand that, which is why I asked.

That said, I think some clarification and maybe to option to lock link access to emby users would be nice to have. In my case I don't want to share the link publicly. I want to share it with people that have access to my server so I don't have to tell them to find picture 1439 themselves but I don't want that link to be accessible by everyone.

[Luke 37090]

Ideally for photos i think we should just share the actual image rather than a link.

[Embite 1]

I recently noticed what appears to be a severe flaw in share links generated by (but not necessarily limited to) the mobile Emby app. I discovered this using a picture so I'll stick with that as an example but I have a feeling this applies to any type of library/content.

 

-----

 

Steps to reproduce:

1. Create a picture library and add some pictures.
2. Open up the picture library from the mobile app and view a picture.
3. Click the "share" icon in the upper right (the 3 connected dots icon).
4. "Copy" the link, text it to yourself, whatever...

Now you'll have a link that looks like this:

• https://DOMAIN/Items/12345/Images/Primary?maxWidth=1242&tag=GUID&quality=50
• The bold areas are the pieces I changed for this post.

There are 2 major issues:

1. There is no option for authentication or timeout around this link. It can be re-shared to anyone indiscriminately, for all time apparently.
2. The item ID (12345) can be changed to view a different item! So once you share one link, all the receiver has to do is change 12345 to 12346 (and so on) and they can view your entire library!

-----

 

I've browsed through the admin settings and haven't yet found a way to block this. Something akin to "Disallow public share links". The only thing I can think to do right now is block the particular URL structure at the reverse proxy level but I'm afraid this may have unintended consequences.

 

[darkassassin07 423]

https://emby.media/community/index.php?/topic/81985-picture-share-button-creates-links-accessible-to-everyone/

[Embite 1]

Thanks, however it doesn't mention the 2nd issue of being able to view someone's entire library by easily changing the item ID in the URL.

 

Unless Luke's reply is implying a feature change to only ever share the image itself. That would do it.

Edited February 16, 2020 by Embite

[Luke 37090]

Yes ideally we should revise it to create some special access token that only has permission for that one specific thing.

[ebr 14918]

1. The item ID (12345) can be changed to view a different item! So once you share one link, all the receiver has to do is change 12345 to 12346 (and so on) and they can view your entire library!

 

Just a point of clarification for the casual reader - they cannot "view your entire library". What could be done is that they could see the primary image from content in your library.  They cannot access files or play them etc.

[crusher11 853]

If it's an image library, using that technique would absolutely enable them to view the entire library would it not? "Playing" files is irrelevant in the context of an image share.

 

To be honest both methods seem flawed. We should be able to share a link to a video that requires a user to log into the server, but then presents them with the actual video page instead of the server home page and requiring them to find it themselves.

[ebr 14918]

If it's an image library, using that technique would absolutely enable them to view the entire library would it not? "Playing" files is irrelevant in the context of an image share.

 

His point was that sharing the image opened up your entire collection of libraries - regardless of type - by exposing an url that can be modified to get to other places.  This is true, but only to get to images of the items.

[Embite 1]

@@ebr - No, that was not my point, @@crusher11 was correct. It opens up the entire image library. Not every library created on your Emby server. "View your entire library" is different than "view every library on the server".

Edited February 16, 2020 by Embite

[ebr 14918]

@@ebr - No, that was not my point, @@crusher11 was correct. It opens up the entire image library. Not every library created on your Emby server. "View your entire library" is different than "view every library on the server".

 

I understand what you were trying to say but, to a casual reader, it could easily have been interpreted another way.  So I wanted to be sure to clarify that.

 

Just a point of clarification for the casual reader - ...

 

Thanks.

[neik 837]

Sorry ebr, then it isn't as bad as you would guess at first look but it still is bad.

The current status of the share feature is one reason I do not allow any user to share anything as I can't make sure the link won't be modified to access other files (in the library).