I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

Scary le Poo@beehaw.org · 2 days ago

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

i_am_not_a_robot@discuss.tchncs.de · 1 day ago

It’s not that challenging if you are looking for specific media files, but if you wanted to enumerate the files on a server it’s basically impossible.

Saik0@lemmy.saik0.com · 21 hours ago

but if you wanted to enumerate the files on a server it’s basically impossible.

Well lets say your a big movie studio… In the past 10 years you’ve released 40-50 movies. You pay some lawfirm to go out and find illegal copies of your movies.

Those 40-50 movies * 1000 or 10000 common paths/names makes you a nice table of likely candidates. Prehash that table in MD5. It doesn’t take all that much effort to “enumerate” all the movies that your studio cares about. 50000 http requests is childs play and you can scan a public server within minutes for your list.

Fully bruteforcing the thing… yeah that’s ridiculous. But I don’t think that people are naming bigbucksbunny.mkv as Rp23GXTHp4GN7P6j86HjRdxtfSKKAArj.mkv. So it’s not like we’re looking for “random” or “all” files anyway.

I don’t think anyone was ever saying that the risk here is full enumeration. Though it is technically possible with sufficient time… just will take a lot of time.

i_am_not_a_robot@discuss.tchncs.de · 15 hours ago

That is possible, but I don’t think you need to worry about that. Having a copy of a movie is not normally itself a crime.

Saik0@lemmy.saik0.com · 11 hours ago

Having it publicly accessible on a web server is distribution. And that normally IS a crime unless you have some licenses to do so.

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

Collection of potential security issues in Jellyfin · Issue #5415 · jellyfin/jellyfin