2011-09-17, 09:07
mzanetti Wrote:Hi! Is it known that commands like this return the full contents of the directory even if they are not included in any of the media sources?
{ "id" : 102, "jsonrpc" : "2.0", "method" : "Files.GetDirectory", "params" : { "directory" : "/etc" } }
Even worse: you can also download the contents of the file:
http://xbmcbox:8080/vfs/etc/passwd
This seems quite insecure to me. I know that there are security concepts planned, but even with a login I see now reason why the API should expose system config files.
Other than that, the API is turning out very well
Its known, its very bad but its known
Your more than welcome to start a trac ticket about it so that we can discuss ways to remove this flaw.