2011-09-16, 22:02
Hi! Is it known that commands like this return the full contents of the directory even if they are not included in any of the media sources?
{ "id" : 102, "jsonrpc" : "2.0", "method" : "Files.GetDirectory", "params" : { "directory" : "/etc" } }
Even worse: you can also download the contents of the file:
http://xbmcbox:8080/vfs/etc/passwd
This seems quite insecure to me. I know that there are security concepts planned, but even with a login I see now reason why the API should expose system config files.
Other than that, the API is turning out very well
{ "id" : 102, "jsonrpc" : "2.0", "method" : "Files.GetDirectory", "params" : { "directory" : "/etc" } }
Even worse: you can also download the contents of the file:
http://xbmcbox:8080/vfs/etc/passwd
This seems quite insecure to me. I know that there are security concepts planned, but even with a login I see now reason why the API should expose system config files.
Other than that, the API is turning out very well