I’m insufferable? You’re the one relying on personal attacks to make your point. Then run away with tail between legs when I show you 1) how it’s not the same as your case and 2) how other current internet operations WOULD be the same, and there’s no lawsuits in regards to those things.

You’re wrong, period. Stop trying to debate laws interpretation of a country you don’t even speak the language of.

LMFO. I actually speak English, French, Polish, and German (in proficiency order) and have an EU citizenship.

I just happen to live in the USA. So congrats, you’re wrong again. Try not to resort to personal attacks next time. You’ll look much less silly.

YOUR intention doesn’t matter. You don’t maintain the jellyfin code. The actual code designers specifically left the endpoints open for “compatibility”. There was a conscious decision for those endpoints to not require authorization, and worse, IT’S DOCUMENTED. This is not like the case you’re quoting. If accessing endpoints without auth was ever illegal, almost all IoT devices would be illegal, a good chunk of gaming and other services would be illegal, etc… This premise is asinine.

You realize that google and other sites regularly scan and capture direct links to websites without ever giving a shit about a login page somewhere else on the site. You don’t see lawsuits against any of those crawlers, nor the people who click the crawled links when they return in a search result. This is the exact same premise.

Or even just on a differently vlan that you want to go through your reverse-proxy because that is where your security features are to separate you from shit you don’t trust.

Article 323-1 : you access my server without my authorization -> 3 years of prison, 100k€ fine

Bullshit. Notice the term is fraudulent. They are not making a bad login or accessing anything that requires authorization. There is no requirement here that simply accesses a web page is sufficient.

Article 323-3 : you touch my data in any way -> 5 years of prison, 150k fine

Again FRAUDULENT. Since it’s public access, there’s nothing illegal happening here. Further any company that would be scanning for this material to build a lawsuit would have the legal right to reproduce the content (eg a law-firm that was contracted by universal, sony, etc…)

It requires authentication or bypass of functioning code to be fraudulent. Making calls to apis that have no authentication cannot be illegal. This is literally how a good chunk of the internet itself works. If it was illegal the internet wouldn’t exist in your country.

Edit: Just to make it clear. It’s not a “flaw”. The github link itself shows that the managers of jellyfin are aware of the problem and intentionally do not “fix” it as they want backwards compatibility.

I was testing a 2fa based one the other weak and jellyfin was the service I decided to test with. Ultimately didnt like it so I rolled ot back.I’d have to go look it up to get you a name.

Look at the rest of this thread though… many people are just fine with “this is FUD, I’m going to keep doing it!”

Still, posts like this raise awareness of the problem.

deleted by creator

There is no authentication occurring. There is no “hacking” here. Nothing about scanners or bots scraping unauthenticated endpoints is illegal. This would be admissable.

No. None of the items are closed. Click the “closed” items. All of them are “Not planned. Duplicate, see 5415”.

Edit: The biggest issue of unauthenticated streaming of content… https://github.com/jellyfin/jellyfin/issues/13777

Last opened last week. closed as duplicate. it’s unaddressed completely.

No. None of the items are closed. Click the “closed” items. All of them are “Not planned. Duplicate, see 5415”.

No. None of the items are closed. Click the “closed” items. All of them are “Not planned. Duplicate, see 5415”.

Keeping that copy on a web accessible platform that is accessible by anyone on the internet(unauthenticated) isn’t covered by your rights at a bare minimum.

Depending on the content “timing” if they trigger on something that doesn’t have a physical/consumer release yet… or all sorts of other “impossible” conditions. This is obviously reliant on what content you actually have on your server.

It’s still something regardless that it’s best not to invite.

Oh, sure enough. Basic auth breaks the login function. I didn’t test it myself and didn’t think that it wouldn’t work for basic auth. I’ve put other auths in front of it and it works. So It’s not completely “misinformation”. Just annoying that the easiest most basic form of auth won’t work.

Probably not. But depending on how it’s configured it could still be a gamble/risk. A rate limiting setup can mitigate it a lot.

Having it publicly accessible on a web server is distribution. And that normally IS a crime unless you have some licenses to do so.

No… that’s the point of this thread. There is no requirement to login in order to manually access endpoints. Up to and including pulling video data.

Do we even know that Plex is better? It’s closed source and hasn’t been audited afaik

Yes… because you can take the raw request your browser makes… remove your auth cookie and replay the same request and it fails.

Closed source doesn’t mean that it can’t be tested for problems. Just means that you can’t go to the code to understand why it’s a problem. You can still see that the problem exists (or doesn’t in this case).

Edit: I haven’t tested every api endpoint myself… but for video files it doesn’t work. It’s not vulnerable to the same thing that JF is in that specific case.

Fair enough if you don’t actually have any… but the courts will still make that decision for you. Some things might count that you don’t expect.

I mean, sure… but you’d actually have to reasonably liquidate most of your assets at that point. You can’t just “claim” bankruptcy and do literally nothing to sate your debts. Of course this is different on a jurisdictional basis… but overall, you have to sell a lot of your stuff in order to do a proper bankruptcy.

https://www.financestrategists.com/financial-advisor/bankruptcy/what-can-you-keep-after-filing-bankruptcy

It can decimate any savings you have for retirement.