search

jellyfin / jellyfin-plugin-opensubtitles

https://jellyfin.org
GNU General Public License v3.0
121 stars 26 forks source link

Url contains username and password în plain text #52

Open savornicesei opened 3 years ago

savornicesei commented 3 years ago

Hi all,

When entering OpenSubtitiles credentials in Jellyfin, it redirects to 

http://localhost:8096/web/index.html?username=<my_username>&password=<my_password>#!/configurationpage?name=Open%20Subtitles?username=<my_username>&password=<my_password>

where my_username and my_password are my credentials for OpenSubtitles.org, in plain text.

It seems they're kept in the url even if I leave the plugin page: image

For security reasons they should not be passed in plain text and in the query string.

Thank you.

uranderu commented 3 years ago

I agree this maybe isn't the most clever design. However, there is a quick fix for this, enabling HTTPS :)

savornicesei commented 3 years ago

That is not a fix 😄

cvium commented 3 years ago

Putting the password in the request body instead does not exactly stop sniffing attempts. Use HTTPS.