Ponyo 22 Posted January 29, 2020 Share Posted January 29, 2020 Hi, I'm not sure if this is a bug or expected behavior but if you use the share button in the Emby app to share a picture it creates a link that is accessible to everyone that has it, it does not require one to be logged into Emby. If this is expected behavior, is there any way to force user logon? I do not want my pictures to be accessible to everyone that has a link. Link to comment Share on other sites More sharing options...
Luke 37090 Posted January 29, 2020 Share Posted January 29, 2020 What app are you sharing with? Link to comment Share on other sites More sharing options...
Ponyo 22 Posted January 29, 2020 Author Share Posted January 29, 2020 The url is generated by the Emby Android app. The url is the same regardless of the app I share with. Link to comment Share on other sites More sharing options...
Luke 37090 Posted January 29, 2020 Share Posted January 29, 2020 What share target was chosen? Link to comment Share on other sites More sharing options...
Ponyo 22 Posted January 30, 2020 Author Share Posted January 30, 2020 What share target was chosen? You mean which app I selected on the selection menu you get on Android when pressing the share button? Whatsapp and copy to clipboard. Both generate the same url accessible for everyone that has it. Link to comment Share on other sites More sharing options...
darkassassin07 423 Posted January 30, 2020 Share Posted January 30, 2020 (edited) Testing, I get the same results. The share button > copy to clipboard gave me a link that looked like this: Http://<host>/emby/Items/<item_id>/Images/Primary?maxWidth=1080&tag=<tag_value>&quality=40 (host/tag/item_id masked ofc.) I dropped that into an incognito tab and it immediately loaded the image without any auth. I was on lan at the time hence http, but the wan host+https works as well. Edited January 30, 2020 by darkassassin07 Link to comment Share on other sites More sharing options...
ebr 14918 Posted January 30, 2020 Share Posted January 30, 2020 I'm pretty sure this is by design. You are trying to share a link in a public way... Link to comment Share on other sites More sharing options...
darkassassin07 423 Posted January 30, 2020 Share Posted January 30, 2020 (edited) Compared to the share button for video files, it's unexpected IMO. Video 'sharing' gives you the description of the shared vid + a link to the main landing page on your server where a person would have to login then find the actual media themselves. Where as image sharing just gives a direct link to the image no auth required. It's inconsistent. Are we allowed share the actual media itself via our emby servers or not? Especially when the description of 'Allow media sharing' under a users access settings is: 'Only webpages containing media info are shared. Media files are never shared publicly. Shares are time-limited and will expire after 30 days.' Dunno about the time-limit, but those links don't seem temporary either. Personally I don't use embys media sharing options. I have it disabled for all users. Instead I have an instance of nginx running on the same machine that hosts whatever I drop into a specific folder. That way I can give people links that look like https://file.mydomain.com/file.extention to share them. Handy for embedded forum images, sharing files with friends, and even providing info for work like videos of a problem maintenance has to deal with. I'm just curious as to the intended use and functionality of the share feature. What I would want from the feature is a link to the media info page. Visiting that link with a browser that's already logged into the server via 'remember me' would take you directly to the media info. Visiting with a browser that isn't auto-logged in however would redirect to the user login page, then after a successful auth, redirect back to the shared medias info page. Assuming we are maintaining the idea that emby can't be used to share the media itself publicly that is. Otherwise, allow video to be shared just like images currently (a link to directly play, no auth). Time-limited temporary links would definitely be a good idea there. Edited January 30, 2020 by darkassassin07 2 Link to comment Share on other sites More sharing options...
Ponyo 22 Posted January 31, 2020 Author Share Posted January 31, 2020 I'm pretty sure this is by design. You are trying to share a link in a public way... I can understand that, which is why I asked. That said, I think some clarification and maybe to option to lock link access to emby users would be nice to have. In my case I don't want to share the link publicly. I want to share it with people that have access to my server so I don't have to tell them to find picture 1439 themselves but I don't want that link to be accessible by everyone. Link to comment Share on other sites More sharing options...
Luke 37090 Posted January 31, 2020 Share Posted January 31, 2020 Ideally for photos i think we should just share the actual image rather than a link. Link to comment Share on other sites More sharing options...
Embite 1 Posted February 16, 2020 Share Posted February 16, 2020 I recently noticed what appears to be a severe flaw in share links generated by (but not necessarily limited to) the mobile Emby app. I discovered this using a picture so I'll stick with that as an example but I have a feeling this applies to any type of library/content. ----- Steps to reproduce: Create a picture library and add some pictures. Open up the picture library from the mobile app and view a picture. Click the "share" icon in the upper right (the 3 connected dots icon). "Copy" the link, text it to yourself, whatever... Now you'll have a link that looks like this: https://DOMAIN/Items/12345/Images/Primary?maxWidth=1242&tag=GUID&quality=50 The bold areas are the pieces I changed for this post. There are 2 major issues: There is no option for authentication or timeout around this link. It can be re-shared to anyone indiscriminately, for all time apparently. The item ID (12345) can be changed to view a different item! So once you share one link, all the receiver has to do is change 12345 to 12346 (and so on) and they can view your entire library! ----- I've browsed through the admin settings and haven't yet found a way to block this. Something akin to "Disallow public share links". The only thing I can think to do right now is block the particular URL structure at the reverse proxy level but I'm afraid this may have unintended consequences. Link to comment Share on other sites More sharing options...
darkassassin07 423 Posted February 16, 2020 Share Posted February 16, 2020 https://emby.media/community/index.php?/topic/81985-picture-share-button-creates-links-accessible-to-everyone/ Link to comment Share on other sites More sharing options...
Embite 1 Posted February 16, 2020 Share Posted February 16, 2020 (edited) Thanks, however it doesn't mention the 2nd issue of being able to view someone's entire library by easily changing the item ID in the URL. Unless Luke's reply is implying a feature change to only ever share the image itself. That would do it. Edited February 16, 2020 by Embite Link to comment Share on other sites More sharing options...
Luke 37090 Posted February 16, 2020 Share Posted February 16, 2020 Yes ideally we should revise it to create some special access token that only has permission for that one specific thing. 1 Link to comment Share on other sites More sharing options...
ebr 14918 Posted February 16, 2020 Share Posted February 16, 2020 The item ID (12345) can be changed to view a different item! So once you share one link, all the receiver has to do is change 12345 to 12346 (and so on) and they can view your entire library! Just a point of clarification for the casual reader - they cannot "view your entire library". What could be done is that they could see the primary image from content in your library. They cannot access files or play them etc. Link to comment Share on other sites More sharing options...
crusher11 853 Posted February 16, 2020 Share Posted February 16, 2020 If it's an image library, using that technique would absolutely enable them to view the entire library would it not? "Playing" files is irrelevant in the context of an image share. To be honest both methods seem flawed. We should be able to share a link to a video that requires a user to log into the server, but then presents them with the actual video page instead of the server home page and requiring them to find it themselves. Link to comment Share on other sites More sharing options...
ebr 14918 Posted February 16, 2020 Share Posted February 16, 2020 If it's an image library, using that technique would absolutely enable them to view the entire library would it not? "Playing" files is irrelevant in the context of an image share. His point was that sharing the image opened up your entire collection of libraries - regardless of type - by exposing an url that can be modified to get to other places. This is true, but only to get to images of the items. Link to comment Share on other sites More sharing options...
Embite 1 Posted February 16, 2020 Share Posted February 16, 2020 (edited) @@ebr - No, that was not my point, @@crusher11 was correct. It opens up the entire image library. Not every library created on your Emby server. "View your entire library" is different than "view every library on the server". Edited February 16, 2020 by Embite Link to comment Share on other sites More sharing options...
ebr 14918 Posted February 17, 2020 Share Posted February 17, 2020 @@ebr - No, that was not my point, @@crusher11 was correct. It opens up the entire image library. Not every library created on your Emby server. "View your entire library" is different than "view every library on the server". I understand what you were trying to say but, to a casual reader, it could easily have been interpreted another way. So I wanted to be sure to clarify that. Just a point of clarification for the casual reader - ... Thanks. Link to comment Share on other sites More sharing options...
neik 837 Posted February 17, 2020 Share Posted February 17, 2020 Sorry ebr, then it isn't as bad as you would guess at first look but it still is bad. The current status of the share feature is one reason I do not allow any user to share anything as I can't make sure the link won't be modified to access other files (in the library). Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now