Open ichdasich opened 2 years ago
I am the product manager of BigBlueButton. Thanks for reporting this.
We'll take a closer look at this right away and ensure you have the logic to disable avatar URLs. We'll deal with Greenlight allowing the user to specify an Avatar in bigbluebutton/greenlight#2956.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
and ensure you have the logic to disable avatar URLs
From what I can see, in BBB we added virtualBackgroundsDisabled
in 2.4 and then in 2.5+ we replaced it with disabledFeatures=virtualBackgrounds
This is related to user avatar images, not virtual backgrounds.
Is this also related more to the front-end that is creating the API calls? The issue arose when GreenLight allowed users to enter arbitrary URLS for avatars, where it needs to let the user upload an avatar and give BigBlueButton it's own GreenLight-specific URL (not a user supplied URL).
In other words, I think this was more a GreenLight issue than a BigBlueButton issue. Just as you upload slides to the front end and it, in turn, passes it's own URL to BigBlueButton to load the slides, so should it be for the avatar.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Describe the bug Joining with a set avatar revels the IP addresses of all other users in a conference.
To Reproduce Steps to reproduce the behavior:
Expected behavior Upon join, BBB retrieves the image from the avatar URL, and re-hosts it.
Actual behavior Externally supplied content is directly handed to users, revealing their IP addresses.
BBB version: 2.3.15
Additional context I just rolled out 2.10.0.1, and first realized the tracking capabilities. I now ~rolled back to an earlier version of GL~implemented a workaround, as setting
useDefaultAvatar=true
/defaultAvatarURL
inbbb-web.properties
did not prevent avatars from being set (related bug?) This is a relatively serious issue for BBB instances run in jurisdictions where the GDPR applies. Greenlight is similarly affected, even though on a smaller scope (people clicking on a join URL, see https://github.com/bigbluebutton/greenlight/issues/2956).