Page 1 of 1

http Web Interface-restrict 'Open File' to specific location

Posted: 19 Mar 2011 01:23
by video651
When the http Web Interface is being added to the VLC media player, it is possible, to remotely control VLC from inside a LAN or over the Internet, using a web browser.

The Web Interface gives access from a remote computer to all files on all drives, folders and subfolders on the machine, running VLC media player.

To see this behaviour, open the IP-Address corresponding to the VLC Web Interface inside a web browser. From the control menu click at the "open button" and inside the "Open File" dialog, click at the "Browse" button. Inside the popup window, you can access all files on all drives and inside all directories of the computer running VLC media player.

It is even possible, to access files on all shared devices that are reachable from the machine, running VLC media player.

To see this behaviour, inside the "Open File" dialog, into the "Input (MRL) field key in any desired shared directory that is accessible inside the LAN (for example "\\server\directory") and click on "Play". All files of the directory structure will be placed into the playlist and the VLC media player starts playing the playlist from the beginning.

The described behaviour is a huge security issue, as in common LAN environments several computers (and also several users) can have access to the running VLC Web Interface. In case, the user grants access to the VLC Web Interface from outside the LAN in order to controll the VLC media player over the Internet, the described behaviour might become an open door to the whole LAN-Network from the Internet.

My suggestion of change is, to implement a functionality to define, which shared device(s), drive(s), folder(s), subfolder(s), file(s) and file-type(s) shall be remotely accessible using the VLC Web Interface.

The VLC Web Interface is becoming more and more popular, as it is the underlying technology for remote applications like "VLC-Remote" or "VLC Stream & Convert" for Android devices and several more. None of these devices (as far as I know) allow to define a password protected access to the VLC Web Interface. But using the Web Interface without passwort protection means an open door to all files of the computer and possibly the whole LAN-Network.

Any comments are very welcome

Klaus

Re: http Web Interface-restrict 'Open File' to specific loca

Posted: 29 Apr 2011 06:48
by sushifury
@Klaus: You can restrict browsing, but it's insecure. Please see: viewtopic.php?f=2&t=84663

I'd also like to see a way to implement more secure browsing restrictions that's lot less hack-y. I have to read the thread when I make a change, since it's not very often. :)

- Sushi

Re: http Web Interface-restrict 'Open File' to specific loca

Posted: 19 Feb 2013 18:25
by vlcusereerds
Hi,

I too would really like to get more information on whether this will be improved in the future. Allowing FULL ACCESS to ALL FILES is a huge security risk that I am unwilling to take. It would be very useful to be able to simply specify which share I want to make available, similar to how it works on a NAS.

I thought that the point of the field Preferences-->Interface-->Main interfaces-->Lua-->Source Directory, but it appears it is not the case (I wanted to change the DEFAULT directory offered when browsing the library through one of the many VLC remote control Android apps).

Being able to lock which directory is visible/browsable would be a great addition.

Furthermore, preventing the "browse" altogether and only allowing to play the media available in the playlist and library would be even simpler and better, IMO.

However, the reason why I was using the "browse" functionality is that I discovered a bug/annoyance:
- I have many video playlists (.m3u) for various folders for the kids (for example, Walt Disney, Bugs Bunny, Road Runner, etc.)
- Each playlist contains hundreds of individual clips/files
- ALL those playlists are stored in a SINGLE directory called Playlists
- If I add the Playlist FOLDER to the Media Library, then NOTHING is shown/available in the media library (i.e.: Altough that folder contains various playlists, those playlists do not show up in the library - it remains empty)
- If I manually add EACH playlist (not ideal, I would rather it monitors the directory), then the library correctly lists each playlists, and I can EXPAND each to see the containing files. It works, but not s elegant as I would like it.

Re: http Web Interface-restrict 'Open File' to specific location

Posted: 07 Sep 2017 03:26
by chops88
I found another workaround that should be a little more secure, although it limits you to one directory.
https://forum.videolan.org/viewtopic.ph ... 85#p460385