search

Piwigo / piwigo-flutter-app

Piwigo mobile application for Android
GNU General Public License v2.0
82 stars 26 forks source link

Non Picture files ae mp4 #136

Open mfulz opened 1 year ago

mfulz commented 1 year ago

I Want to reference this Issue: https://github.com/Piwigo/Piwigo/issues/1765

It is impossible to download non picture files in mobile app, without session protection, as the app just want to access the direct path, which shouldn't be made public.

remi-martin commented 1 year ago

Hi, do you have VideoJS plugin installed in your Piwigo ?

mfulz commented 1 year ago

Hi Sorry for the late reply. Yes I'v installed that plugin. The problem is, that the mobile app seems to ignore the session handling and want to use only the direct link to the file over the http server.

That would be a no go as it would completely disable the authorization handling by allowing the direct links in http-server

remi-martin commented 1 year ago

Not sure I understand your workarounds, I'm a rookie in server configurations. Are you saying that I'm not going for the right url ? Or is it more of a server sided issue ?

mfulz commented 1 year ago

Not sure I understand your workarounds, I'm a rookie in server configurations. Are you saying that I'm not going for the right url ? Or is it more of a server sided issue ?

Ok let me try to explain: This is how a download is done from the webinterface: https://domain/action.php?id=27&part=e&download

This is what is called from the app: https://domain/upload/2022/10/22/20221022031035-670f3650.mp4

The issue by allowing the direct file path from the webserver would lead to bypassing the whole authentication / authorization as anyone who knows (bruteforcing would be way to easy here) the link can access the files.

That leads non usable videos at all from out the mobile app. The same problem occures for the webapplication when trying to play a video, but at least is working when downloading.

Let me know if you need more explanation

Edith: this is the part (at least for nginx) of the server configuraiton I'm talking about:

location ~ ^/(_data/logs|upload)/ { deny all; }

remi-martin commented 1 year ago

Thanks, that helps

mfulz commented 1 year ago

Great let me know if I can help you in any way further :)

remi-martin commented 1 year ago

Hi, I saw there were an issue with downloading video files, making them unplayable. It is fixed, but I don't think it was related to this issue.