File download | Access forbidden

[Fourdee]

Hi,

We are in the process of adding O!MPD to DietPi-Software catalog. We have the following outstanding issues:

• File download | Access forbidden
• Stream | downloads playlist file, but fails to stream.

Here are my notes: https://github.com/Fourdee/DietPi/issues/720#issuecomment-274272583

If you need anything else, please let me know.

Thanks in advanced.

[othmar52]

For some of O!MPD's features the webserver user apache or nginx needs access to the music files and directories. Theoretically there is no need for this file access when limiting functionality to the MPD protocol. But unfortunately MPD does not provide enough data (like artworks) to have a fancy frontend like O!MPD

@ArturSierzant consider to add this information (webserver user needs access to music files) to the system requirements

[Fourdee]

@othmar52

For some of O!MPD's features the webserver user apache or nginx needs access to the music files and directories.

Thanks 👍.

However, still experiencing access forbidden on download, after granting www-data access to absolute music filepath.

Web/PHP user:

root@DietPi:~# ps aux | grep [l]ighttpd
www-data 13368  0.1  0.1   8616  2884 ?        Ss   17:05   0:00 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf

---

Permissions test:

root@DietPi:~# chown -R www-data:www-data /mnt/dietpi_userdata/Music

root@DietPi:~# ls -lha /mnt/dietpi_userdata/Music
total 1.3M
drwxrwxr-x 3 www-data www-data 4.0K Jan 21 14:45 .
drwxrwxr-x 8 root     root     4.0K Jan 21 14:17 ..
-rwxrwxr-x 1 www-data www-data  126 Jan 21 13:59 Absolute-Radio-00s.pls
-rwxrwxr-x 1 www-data www-data  120 Jan 21 13:59 Absolute-Radio-80s.pls
-rwxrwxr-x 1 www-data www-data  126 Jan 21 13:59 Absolute-Radio-90s.pls
-rwxrwxr-x 1 www-data www-data  140 Jan 21 13:59 Absolute-Radio.pls
-rwxrwxr-x 1 www-data www-data 1.3M Nov 30  2015 fourdee_tech.ogg
drwxrwxr-x 2 www-data www-data 4.0K Jan 21 14:46 Killer Instinct OST

Still access forbidden

---

root@DietPi:~# chmod 777 -R /mnt/dietpi_userdata/Music

root@DietPi:~# ls -lha /mnt/dietpi_userdata/Music
total 1.3M
drwxrwxrwx 3 www-data www-data 4.0K Jan 21 14:45 .
drwxrwxr-x 8 root     root     4.0K Jan 21 14:17 ..
-rwxrwxrwx 1 www-data www-data  126 Jan 21 13:59 Absolute-Radio-00s.pls
-rwxrwxrwx 1 www-data www-data  120 Jan 21 13:59 Absolute-Radio-80s.pls
-rwxrwxrwx 1 www-data www-data  126 Jan 21 13:59 Absolute-Radio-90s.pls
-rwxrwxrwx 1 www-data www-data  140 Jan 21 13:59 Absolute-Radio.pls
-rwxrwxrwx 1 www-data www-data 1.3M Nov 30  2015 fourdee_tech.ogg
drwxrwxrwx 2 www-data www-data 4.0K Jan 21 14:46 Killer Instinct OST

Still access forbidden

---

[othmar52]

is this access forbidden a default error page from your webserver software?

what does the URL looks like you are trying to access?

did you try the same with O!MPD's admin user?

[Fourdee]

@othmar52

Get same results (and message) with:

• Lighttpd
• Nginx
• Apache2

URL: http://192.168.0.112/ompd/message.php?message=%5Bb%5DAccess%20forbidden%5B%2Fb%5D&type=error&menu=media&skin=ompd_default&username=&sign=&timestamp=588a2f24

I believe this is the error received: https://github.com/ArturSierzant/OMPD/blob/master/download.php#L40-L47

• 🈯️ Disabling the following in https://github.com/ArturSierzant/OMPD/blob/master/download.php#L43-L46 resolves the issue and allows download:

  //      if ($pos === false ) {
  //              message(__FILE__, __LINE__, 'error', '[b]Access forbidden[/b]');
  //      exit();
  //      }

[othmar52]

@Fourdee can you insert some lines for debugging purposes:

//after this existing line
$pos = strpos($filepath,$cfg['media_dir']);

// temporary debug output
var_dump($pos);
var_dump($filepath);
var_dump($cfg['media_dir']);
exit;

and post the output?

[Fourdee]

@othmar52

bool(false) NULL string(27) "/mnt/dietpi_userdata/Music/"

config:

root@DietPi:~# cat /var/www/ompd/include/config.inc.php | grep media_dir
$cfg['media_dir']                 = '/mnt/dietpi_userdata/Music/';
$cfg['ignore_media_dir_access_error']   = false;

---

Edit:

Also tried with:

#/var/www/ompd/include/config.inc.php
$cfg['ignore_media_dir_access_error']   = true;

Still forbidden.

[othmar52]

@Fourdee Unfortunately the URL you provided is a standard redirect with error message with no information about the inital URL.

Having this debug output active, you shouldn't get redirected and hopefully you can find the relevant URL in the address bar of your browser.

Please can you provide the URL again?

[Fourdee]

url = http://192.168.0.112/ompd/download.php?action=downloadTrack&track_id=fbyn0jxcdz_2aae4a00&download_id=-1

PHP Version 5.6.29-0+deb8u1

[othmar52]

@Fourdee Thanks for providing that much useful information to identify the problem.

@ArturSierzant Your access check is not compatible to most of the generated URL's to download.php because of the lack of this parameter: ?filename=

As you prefer to not generate those href attributes via reusable template snippets you have to fix this in multiple places of O!MPD's code. A recursive grep may give you all occurences where you have to fix this grep -R download.php .

[ArturSierzant]

I've corrected this problem in commit 174740b. @Fourdee please check it. @othmar52 thanks for investigation and hints.

[Fourdee]

@ArturSierzant

Downloading now functional, many thanks for this fix 👍

Tested streaming aswell, all working.