Nope. I don’t talk about myself like that.

  • 13 Posts
  • 2.04K Comments
Joined 2 years ago
cake
Cake day: June 8th, 2023

help-circle
  • Sure. Now who here wants to litigate it and find out?

    the prosecution may have committed a crime in finding it.

    Web scanners/crawlers aren’t illegal though. And since it’s not authenticated there’s no attempt to break any security/authentication/encryption. You don’t get in trouble for finding a random URL in a google search and accessing it. You’d get in trouble if you had to bypass some security measure to get there.

    The point of this all is that these endpoints have no measure in place. Seemingly on purpose, and it’s documented by the maintainers that they don’t intend to fix it and leaving it open is intentional.

    You can gamble it. I won’t. I just can’t accept that “Jellyfin is better” that keeps getting pushed when big gaping problematic holes like this exist.



  • You’re wrong, period. Stop trying to debate laws interpretation of a country you don’t even speak the language of.

    LMFO. I actually speak English, French, Polish, and German (in proficiency order) and have an EU citizenship.

    I just happen to live in the USA. So congrats, you’re wrong again. Try not to resort to personal attacks next time. You’ll look much less silly.

    YOUR intention doesn’t matter. You don’t maintain the jellyfin code. The actual code designers specifically left the endpoints open for “compatibility”. There was a conscious decision for those endpoints to not require authorization, and worse, IT’S DOCUMENTED. This is not like the case you’re quoting. If accessing endpoints without auth was ever illegal, almost all IoT devices would be illegal, a good chunk of gaming and other services would be illegal, etc… This premise is asinine.

    You realize that google and other sites regularly scan and capture direct links to websites without ever giving a shit about a login page somewhere else on the site. You don’t see lawsuits against any of those crawlers, nor the people who click the crawled links when they return in a search result. This is the exact same premise.



  • Article 323-1 : you access my server without my authorization -> 3 years of prison, 100k€ fine

    Bullshit. Notice the term is fraudulent. They are not making a bad login or accessing anything that requires authorization. There is no requirement here that simply accesses a web page is sufficient.

    Article 323-3 : you touch my data in any way -> 5 years of prison, 150k fine

    Again FRAUDULENT. Since it’s public access, there’s nothing illegal happening here. Further any company that would be scanning for this material to build a lawsuit would have the legal right to reproduce the content (eg a law-firm that was contracted by universal, sony, etc…)

    It requires authentication or bypass of functioning code to be fraudulent. Making calls to apis that have no authentication cannot be illegal. This is literally how a good chunk of the internet itself works. If it was illegal the internet wouldn’t exist in your country.

    Edit: Just to make it clear. It’s not a “flaw”. The github link itself shows that the managers of jellyfin are aware of the problem and intentionally do not “fix” it as they want backwards compatibility.














  • Do we even know that Plex is better? It’s closed source and hasn’t been audited afaik

    Yes… because you can take the raw request your browser makes… remove your auth cookie and replay the same request and it fails.

    Closed source doesn’t mean that it can’t be tested for problems. Just means that you can’t go to the code to understand why it’s a problem. You can still see that the problem exists (or doesn’t in this case).

    Edit: I haven’t tested every api endpoint myself… but for video files it doesn’t work. It’s not vulnerable to the same thing that JF is in that specific case.