Page 1 of 1
http interface - restricting browse functionality
Posted: 22 Nov 2010 17:50
by Lafcadio
When I add the http interface, the browse functionality allows users to explore my entire system directory structure. I'd like to restrict this behavior to a certain directory subtree.
For example, how can I make the top-level folder `/media/`?
Re: http interface - restricting browse functionality
Posted: 22 Nov 2010 18:49
by Rémi Denis-Courmont
There is a preference setting to configure the 'root' HTTP directory.
Re: http interface - restricting browse functionality
Posted: 22 Nov 2010 18:53
by Lafcadio
Great! What's the command-line flag, or configuration setting, please? I've been looking for this for days!
Actually, I think I may know what you're referring to. The parameter [--http-src] sets the document root for the web interface (i.e., the HTML, xml, etc... for the http interface) it does not set the media root for the `browse` option.
Re: http interface - restricting browse functionality
Posted: 22 Nov 2010 20:09
by Rémi Denis-Courmont
Ah you mean the browse dialog. You need to change the web page scripts for that.
Re: http interface - restricting browse functionality
Posted: 22 Nov 2010 21:06
by Lafcadio
I'm actually using a 3rd party application (an Android application called "VLC Stream and Convert") . I point to the html web interface as an example. Are 3rd party applications interacting with the same files as a web-browser user would?
I'm not familiar with how a 3rd party application interacts with the VLC server. Are you suggesting I edit `browse.xml` to include some sort of white list?
I may just create a new user who is confined to a certain directory. I was just hoping there would be a more simple way to modify the server behavior.
Re: http interface - restricting browse functionality
Posted: 22 Nov 2010 22:17
by Lafcadio
Thank you for the suggestion. Here is my current workaround hack. It is definitely not ideal, but will suffice for now.
I added a predicate to the `browse.xml` file to
check if the current directory starts with '/library/' (the directory I want to make the root).
Code: Select all
<vlc id="if" param1="file.name value '/library/' 9 strncmp 0 =" />
...
<vlc id="end" />
I also
added an entry to every directory listing to link back to this desired root.
Code: Select all
<element type="directory" size="" date="" path="/library/" name="Media Root" extension="" />
My full, modified browse.xml is now:
Code: Select all
<vlc id="end" />
<root>
<vlc id="if" param1="url_param 1 =" />
<vlc id="rpn" param1="'dir' url_extract" />
<element type="directory" size="" date="" path="/library/" name="Media Root" extension="" />
<vlc id="foreach" param1="file" param2="directory" />
<vlc id="if" param1="file.name value '/library/' 9 strncmp 0 =" />
<vlc id="if" param1="file.basename value '.' 1 strncmp 0 != file.basename value '..' 2 strncmp 0 = |" />
<element type="<vlc id="value" param1="file.type" />" size="<vlc id="value" param1="file.size" />" date="<vlc id="value" param1="file.date" />" path="<vlc id="value" param1="file.name value xml_encode" />" name="<vlc id="value" param1="file.basename value xml_encode" />" extension="<vlc id="value" param1="file.ext value xml_encode" />" />
<vlc id="end" />
<vlc id="end" />
<vlc id="end" />
<vlc id="end" />
</root>
This is an acceptable workaround for me.
Re: http interface - restricting browse functionality
Posted: 30 Nov 2010 15:56
by theundeadelvis
Hello Lafcadio, I am using VLC S&C also, and I'm trying to get your browse.xml tweak to work. They way you have it coded, does it mean that your "/library/" directory is in the same directory as the browse.xml folder? I'm just not sure how to code my path to my media folder (which is on an external drive)?
Thanks!
Re: http interface - restricting browse functionality
Posted: 30 Nov 2010 21:51
by Lafcadio
I'm running Linux, so full path names start with a `/`. In my environment, for example, the full path to `browse.xml` is `/usr/share/vlc/http/requests/browse.xml`.
If you're on a Mac, your full path would also start with a `/`, I believe. For Windows, I'm not sure what the answer is (maybe something like `F:/video/`, or `F:\\video\\` ?).
Just to be clear, the direct answer to your question is no, `/library/` is not in the same directory as `browse.xml`. You just need to replace the two occurrences of `/library/` with your desired full path in my example.
Re: http interface - restricting browse functionality
Posted: 04 Dec 2010 19:36
by theundeadelvis
Thank you!
Re: http interface - restricting browse functionality
Posted: 27 Feb 2011 01:03
by sushifury
@Lafcadio: Thanks for this, exactly what I was looking for!
I'd like to add that in the code:
Code: Select all
<vlc id="if" param1="file.name value '/library/' 9 strncmp 0 =" />
...the number after '/library/' is how many characters the string '/library/' has.
In my case, my string was 'Q:\\' since my Windows PC has a dedicated media hard drive. Since '\' is an escape character, my code has a 3 after it.
Code: Select all
<vlc id="if" param1="file.name value 'Q:\\' 3 strncmp 0 =" />
Took me a minute to figure it out, but it works great for me now.
BTW, I also use VLC Stream and Convert (awesome app), and ideally, I would like to VPN into my network. Unfortunately, Android 2.2's VPN is broken! This is the next best thing to having my entire computer exposed for viewing.
- Sushi
Re: http interface - restricting browse functionality
Posted: 18 Mar 2011 23:37
by video651
Attention!
The workaround proposed by Lafcadio is not at all secure !
It is still possible to play files on the streaming computer using the Web-Interface, even if you made the proposed modifications in "browse.xml"!
For Example (if you expect a Windows XP-System):
Inside the Web-Interface, click on "Open" and into the "Input (MRL)"-field key in the directory "C:\Documents and Settings\All Users\Documents\My Videos", click on "Play" and VLC will put all Videos from that folder and all of its subfolders into the playlist. Now you can pick your favourite Video from inside the playlist and watch it by clicking on the desired file.
So the proposed workaround is more or less just cosmetic and does not prevent files from outside the desired folder being played.
If anybody else knows a more secure way to fix this, I would be happy to read...
Klaus
Re: http interface - restricting browse functionality
Posted: 21 Mar 2011 17:15
by Lafcadio
The workaround proposed by Lafcadio is not at all secure !
In other words, the only thing "my" workaround does is prevent people from viewing the directory structure of your server. It will not prevent people, who already know the location of media files, from playing them.
In order to achieve a secure server, the most common suggestion I've seen is to use a VPN (Virtual Private Network). This will:
- Require a password to connect
- Encrypt your traffic
- Limit port forwarding requirements on your router
In this case you need to reset your VLC's .hosts file to restrict traffic only to local connections.
Re: http interface - restricting browse functionality
Posted: 21 Mar 2011 23:47
by video651
In other words, the only thing "my" workaround does is prevent people from viewing the directory structure of your server. It will not prevent people, who already know the location of media files, from playing them.
In order to achieve a secure server, the most common suggestion I've seen is to use a VPN (Virtual Private Network). This will:
- Require a password to connect
- Encrypt your traffic
- Limit port forwarding requirements on your router
In this case you need to reset your VLC's .hosts file to restrict traffic only to local connections.
Yes, I think an encrypted VPN connection is the most secure way at the moment, to access a VLC Web Interface.
What do other readers think? Any experiences?
Could anybody post setup instructions, for encrypted VPN connection between an android device and the VLC Web Interface running under Windows XP?
Klaus
Re: http interface - restricting browse functionality
Posted: 29 Mar 2011 12:49
by sushifury
The author of VLC Stream & Convert has already put together a nice little guide for Android and Windows Vista and 7:
http://traveldevel.com/vlc-stream-conve ... g-over-vpn (For how to set up incoming VPN on XP, there are a few guides on
Google.)
BTW, to expound on my previous post, VPN using PPTP on certain versions of Android is broken:
http://code.google.com/p/android/issues/detail?id=4706. (PPTP is the most common VPN protocol.) I'd much rather use VPN than simply restricting browsing, but my perfectly-working VPN doesn't jibe with Froyo.
To anyone reading -- if you're having the issue, as I am, PLEASE visit that last URL and "star" it, so Google will hopefully fix it.
- Sushi
Re: http interface - restricting browse functionality
Posted: 19 Feb 2013 20:15
by vlcusereerds
Hi,
I am confused. I am trying to use this "hack" to select in which (remote) directory, by default, the Open Media option will point, but I am not sure WHERE to insert the code mentioned above.
Under my C:\Program Files (x86)\VideoLAN\VLC\lua\http directory, I find the following files (amongst others):
mobile_browse.html
request\browse.xml
But neither of those two files look like the code listed above. Where, in browse.html should I insert the code Below is a copy of my browse.xml file.
Furthermore, on a Win7 PC, am I correct to assume that the code would be (I am unclear if I should double the back-slashes if they are an escape character, as someone mentionned):
<vlc id="end" />
<root>
<vlc id="if" param1="url_param 1 =" />
<vlc id="rpn" param1="'dir' url_extract" />
<element type="directory" size="" date="" path="\\MYNAS\MYVIDEOS\MYPLAYLISTS\" name="Media Root" extension="" />
<vlc id="foreach" param1="file" param2="directory" />
<vlc id="if" param1="file.name value '\\MYNAS\MYVIDEOS\MYPLAYLISTS\' 29 strncmp 0 =" />
<vlc id="if" param1="file.basename value '.' 1 strncmp 0 != file.basename value '..' 2 strncmp 0 = |" />
<element type="<vlc id="value" param1="file.type" />" size="<vlc id="value" param1="file.size" />" date="<vlc id="value" param1="file.date" />" path="<vlc id="value" param1="file.name value xml_encode" />" name="<vlc id="value" param1="file.basename value xml_encode" />" extension="<vlc id="value" param1="file.ext value xml_encode" />" />
<vlc id="end" />
<vlc id="end" />
<vlc id="end" />
<vlc id="end" />
</root>
In my case, the file browse.xml looks like that:
<?xml version="1.0" encoding="utf-8" standalone="yes" ?<?vlc print'>'?>
<?vlc --[[
vim:syntax=lua
]] ?>
<?vlc
--package.loaded.httprequests = nil --uncomment to debug changes
require "httprequests"
httprequests.processcommands()
local browseTable=httprequests.getbrowsetable()
print('<root>\n')
--httprequests.printTableAsJson(browseTable.element._array,0)
for i,e in ipairs(browseTable.element._array) do
print('\n<element ')
for k,v in pairs(e) do
print(" "..httprequests.xmlString(k).."='"..httprequests.xmlString(v).."'")
end
print('/>')
end
print('\n</root>')
?>
Thank for the help.
Re: http interface - restricting browse functionality
Posted: 07 Sep 2017 03:24
by chops88
If you want to limit it to one specfic directory, you can edit BOTH the browse.json and browse.xml files to include a line right before the table data is retrieved:
Code: Select all
if string.find(_GET["uri"], "/path/to/your/media/") == nil then
_GET["uri"] = "file:///path/to/your/media/"
end
--You should probably do the same here:
if string.find(_GET["dir"], "/path/to/your/media/") == nil then
_GET["dir"] = "/path/to/your/media/"
end
local browseTable=httprequests.getbrowsetable()
This should override ANY request made to the vlc web server by any method and force it to only display your desired path. For my purposes (semi-public display panel with remote control), its good enough to prevent users from poking around the OS structure.
**EDIT**
Modified it to read the request coming in and either allow it, or coerce it back to safety.