| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by random_human_ 58 days ago
	The absolute worst thing I can see in there is that an third party who somehow managed to get a link to one of your library items (either directly from you or from one of your users--or by spending the next decade bruteforcing it I guess) could stream said item: https://github.com/jellyfin/jellyfin/issues/5415#issuecommen... Everything else looks to me like unimportant issues, that would provide someone who's already logged in as a user minor details about your server.

1 comments

theshrike79 58 days ago

Nearly everyone uses the *arr stack with the Trash guides.

Which means that the paths are pretty damn uniform.

link

random_human_ 58 days ago

Unless I am misunderstanding the discussion on GitHub, the attacker would still need to know the exact path where the file is saved, and the name of the file itself. Even then, all they can do is download the file from your device--which they could just torrent themselves for a fraction of the effort.

link

theshrike79 57 days ago

A DDoS is still a valid attack.

Very few consumer connections can manage, say, 100 clients downloading a massive video file simultaneously.

link