http interface - restricting browse functionality

[Lafcadio]

When I add the http interface, the browse functionality allows users to explore my entire system directory structure. I'd like to restrict this behavior to a certain directory subtree.

For example, how can I make the top-level folder `/media/`?

[Rémi Denis-Courmont]

There is a preference setting to configure the 'root' HTTP directory.

[Lafcadio]

Great! What's the command-line flag, or configuration setting, please? I've been looking for this for days!

Actually, I think I may know what you're referring to. The parameter [--http-src] sets the document root for the web interface (i.e., the HTML, xml, etc... for the http interface) it does not set the media root for the `browse` option.

[Rémi Denis-Courmont]

Ah you mean the browse dialog. You need to change the web page scripts for that.

[Lafcadio]

I'm actually using a 3rd party application (an Android application called "VLC Stream and Convert") . I point to the html web interface as an example. Are 3rd party applications interacting with the same files as a web-browser user would?

I'm not familiar with how a 3rd party application interacts with the VLC server. Are you suggesting I edit `browse.xml` to include some sort of white list?

I may just create a new user who is confined to a certain directory. I was just hoping there would be a more simple way to modify the server behavior.

[Lafcadio]

Thank you for the suggestion. Here is my current workaround hack. It is definitely not ideal, but will suffice for now.

I added a predicate to the `browse.xml` file to check if the current directory starts with '/library/' (the directory I want to make the root).

Code: Select all

<vlc id="if" param1="file.name value '/library/' 9 strncmp 0 =" /> ... <vlc id="end" />

I also added an entry to every directory listing to link back to this desired root.

Code: Select all

<element type="directory" size="" date="" path="/library/" name="Media Root" extension="" />

My full, modified browse.xml is now:

Code: Select all

<vlc id="end" /> <root> <vlc id="if" param1="url_param 1 =" /> <vlc id="rpn" param1="'dir' url_extract" /> <element type="directory" size="" date="" path="/library/" name="Media Root" extension="" /> <vlc id="foreach" param1="file" param2="directory" /> <vlc id="if" param1="file.name value '/library/' 9 strncmp 0 =" /> <vlc id="if" param1="file.basename value '.' 1 strncmp 0 != file.basename value '..' 2 strncmp 0 = |" /> <element type="<vlc id="value" param1="file.type" />" size="<vlc id="value" param1="file.size" />" date="<vlc id="value" param1="file.date" />" path="<vlc id="value" param1="file.name value xml_encode" />" name="<vlc id="value" param1="file.basename value xml_encode" />" extension="<vlc id="value" param1="file.ext value xml_encode" />" /> <vlc id="end" /> <vlc id="end" /> <vlc id="end" /> <vlc id="end" /> </root>

This is an acceptable workaround for me.

[theundeadelvis]

Hello Lafcadio, I am using VLC S&C also, and I'm trying to get your browse.xml tweak to work. They way you have it coded, does it mean that your "/library/" directory is in the same directory as the browse.xml folder? I'm just not sure how to code my path to my media folder (which is on an external drive)?

Thanks!

[Lafcadio]

I'm running Linux, so full path names start with a `/`. In my environment, for example, the full path to `browse.xml` is `/usr/share/vlc/http/requests/browse.xml`.

If you're on a Mac, your full path would also start with a `/`, I believe. For Windows, I'm not sure what the answer is (maybe something like `F:/video/`, or `F:\\video\\` ?).

Just to be clear, the direct answer to your question is no, `/library/` is not in the same directory as `browse.xml`. You just need to replace the two occurrences of `/library/` with your desired full path in my example.

[theundeadelvis]

Thank you!

[sushifury]

@Lafcadio: Thanks for this, exactly what I was looking for!

I'd like to add that in the code:

Code: Select all

<vlc id="if" param1="file.name value '/library/' 9 strncmp 0 =" />

...the number after '/library/' is how many characters the string '/library/' has.

In my case, my string was 'Q:\\' since my Windows PC has a dedicated media hard drive. Since '\' is an escape character, my code has a 3 after it.

Code: Select all

<vlc id="if" param1="file.name value 'Q:\\' 3 strncmp 0 =" />

Took me a minute to figure it out, but it works great for me now.

BTW, I also use VLC Stream and Convert (awesome app), and ideally, I would like to VPN into my network. Unfortunately, Android 2.2's VPN is broken! This is the next best thing to having my entire computer exposed for viewing.

- Sushi

[video651]

Attention!

The workaround proposed by Lafcadio is not at all secure !

It is still possible to play files on the streaming computer using the Web-Interface, even if you made the proposed modifications in "browse.xml"!

For Example (if you expect a Windows XP-System):

Inside the Web-Interface, click on "Open" and into the "Input (MRL)"-field key in the directory "C:\Documents and Settings\All Users\Documents\My Videos", click on "Play" and VLC will put all Videos from that folder and all of its subfolders into the playlist. Now you can pick your favourite Video from inside the playlist and watch it by clicking on the desired file.

So the proposed workaround is more or less just cosmetic and does not prevent files from outside the desired folder being played.

If anybody else knows a more secure way to fix this, I would be happy to read...

Klaus

[Lafcadio]

The workaround proposed by Lafcadio is not at all secure !

In other words, the only thing "my" workaround does is prevent people from viewing the directory structure of your server. It will not prevent people, who already know the location of media files, from playing them.

In order to achieve a secure server, the most common suggestion I've seen is to use a VPN (Virtual Private Network). This will:

1. Require a password to connect
2. Encrypt your traffic
3. Limit port forwarding requirements on your router

In this case you need to reset your VLC's .hosts file to restrict traffic only to local connections.

[video651]

In other words, the only thing "my" workaround does is prevent people from viewing the directory structure of your server. It will not prevent people, who already know the location of media files, from playing them.

In order to achieve a secure server, the most common suggestion I've seen is to use a VPN (Virtual Private Network). This will:

1. Require a password to connect
2. Encrypt your traffic
3. Limit port forwarding requirements on your router

In this case you need to reset your VLC's .hosts file to restrict traffic only to local connections.

Yes, I think an encrypted VPN connection is the most secure way at the moment, to access a VLC Web Interface.

What do other readers think? Any experiences?

Could anybody post setup instructions, for encrypted VPN connection between an android device and the VLC Web Interface running under Windows XP?

Klaus

[sushifury]

The author of VLC Stream & Convert has already put together a nice little guide for Android and Windows Vista and 7:
http://traveldevel.com/vlc-stream-conve ... g-over-vpn (For how to set up incoming VPN on XP, there are a few guides on Google.)

BTW, to expound on my previous post, VPN using PPTP on certain versions of Android is broken: http://code.google.com/p/android/issues/detail?id=4706. (PPTP is the most common VPN protocol.) I'd much rather use VPN than simply restricting browsing, but my perfectly-working VPN doesn't jibe with Froyo.

To anyone reading -- if you're having the issue, as I am, PLEASE visit that last URL and "star" it, so Google will hopefully fix it.

- Sushi

[vlcusereerds]

Hi,

I am confused. I am trying to use this "hack" to select in which (remote) directory, by default, the Open Media option will point, but I am not sure WHERE to insert the code mentioned above.

Under my C:\Program Files (x86)\VideoLAN\VLC\lua\http directory, I find the following files (amongst others):
mobile_browse.html
request\browse.xml

But neither of those two files look like the code listed above. Where, in browse.html should I insert the code Below is a copy of my browse.xml file.

Furthermore, on a Win7 PC, am I correct to assume that the code would be (I am unclear if I should double the back-slashes if they are an escape character, as someone mentionned):
<vlc id="end" />

<root>
<vlc id="if" param1="url_param 1 =" />
<vlc id="rpn" param1="'dir' url_extract" />
<element type="directory" size="" date="" path="\\MYNAS\MYVIDEOS\MYPLAYLISTS\" name="Media Root" extension="" />
<vlc id="foreach" param1="file" param2="directory" />
<vlc id="if" param1="file.name value '\\MYNAS\MYVIDEOS\MYPLAYLISTS\' 29 strncmp 0 =" />
<vlc id="if" param1="file.basename value '.' 1 strncmp 0 != file.basename value '..' 2 strncmp 0 = |" />
<element type="<vlc id="value" param1="file.type" />" size="<vlc id="value" param1="file.size" />" date="<vlc id="value" param1="file.date" />" path="<vlc id="value" param1="file.name value xml_encode" />" name="<vlc id="value" param1="file.basename value xml_encode" />" extension="<vlc id="value" param1="file.ext value xml_encode" />" />
<vlc id="end" />
<vlc id="end" />
<vlc id="end" />
<vlc id="end" />
</root>


In my case, the file browse.xml looks like that:
<?xml version="1.0" encoding="utf-8" standalone="yes" ?<?vlc print'>'?>
<?vlc --[[
vim:syntax=lua
]] ?>
<?vlc

--package.loaded.httprequests = nil --uncomment to debug changes
require "httprequests"

httprequests.processcommands()

local browseTable=httprequests.getbrowsetable()

print('<root>\n')

--httprequests.printTableAsJson(browseTable.element._array,0)


for i,e in ipairs(browseTable.element._array) do
print('\n<element ')

for k,v in pairs(e) do
print(" "..httprequests.xmlString(k).."='"..httprequests.xmlString(v).."'")
end

print('/>')
end


print('\n</root>')

?>

Thank for the help.

[chops88]

If you want to limit it to one specfic directory, you can edit BOTH the browse.json and browse.xml files to include a line right before the table data is retrieved:

Code: Select all

if string.find(_GET["uri"], "/path/to/your/media/") == nil then _GET["uri"] = "file:///path/to/your/media/" end --You should probably do the same here: if string.find(_GET["dir"], "/path/to/your/media/") == nil then _GET["dir"] = "/path/to/your/media/" end local browseTable=httprequests.getbrowsetable()

This should override ANY request made to the vlc web server by any method and force it to only display your desired path. For my purposes (semi-public display panel with remote control), its good enough to prevent users from poking around the OS structure.

**EDIT**
Modified it to read the request coming in and either allow it, or coerce it back to safety.