Project

General

Profile

Bug #1565

/imagecache requires authentication but pvr.hts client doesn't send auth

Added by Andy Brown almost 10 years ago. Updated almost 10 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
User Interface
Target version:
-
Start date:
2013-01-22
Due date:
% Done:

0%

Estimated time:
Found in version:
3.3.398~g39a2272
Affected Versions:

Description

Unsure if this is really aimed at pvr.hts rather than TVH.
This was changed during commit ef43010617d584c7222324501ad0202d2d068255 which changed:
http_path_add("/imagecache", NULL, page_imagecache, ACCESS_ANONYMOUS);
to
http_path_add("/imagecache", NULL, page_imagecache, ACCESS_WEB_INTERFACE);

https://github.com/tvheadend/tvheadend/commit/ef43010617d584c7222324501ad0202d2d068255

The problem being that the pvr.hts (currently using opdenkamp's git version) doesn't pass authentication over the GetWebURL request (Line 868 on HTSPData.cpp) so TVH always returns with a 401 denied.

I'd guess correct solution will be to modify the pvr.hts to send authentication rather than swap TVH back to permit anonymous on imagecache?

Just after a pointer here as to correct operation.

History

#1

Updated by Adam Sutton almost 10 years ago

  • Status changed from New to Rejected

That would be a bug in pvr.hts and I don't see it myself. I have authenticated imagecache access on my own machine and it works fine.

Adam

#2

Updated by Andy Brown almost 10 years ago

It's back!
I've forced my pvr.hts to latest (as discussed on irc today), and now in my TV DB in xbmc I have:

INSERT INTO "channels" VALUES;
INSERT INTO "channels" VALUES;

But no icons, so I checked and its still giving a 401 for some reason, I tried manually using wget:

wget http://user:[email protected]:9981/imagecache/6
--2013-01-25 19:03:00-- http://user:*password*@192.168.55.3:9981/imagecache/6
Connecting to 192.168.55.3:9981... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Reusing existing connection to 192.168.55.3:9981.
HTTP request sent, awaiting response... 401 Unauthorized
Authorisation failed.

And in TVH logs:

Jan 25 19:01:25 [ERROR]:HTTP: 192.168.55.3: /imagecache/6 -- 401
Jan 25 19:01:25 [ERROR]:HTTP: 192.168.55.3: /imagecache/6 -- 401

So looks like for some reason its not liking the authentication. Can you retry on your system and see if you can duplicate?

Am going to try a few tweaks and see if I can isolate the issue also.

#3

Updated by Adam Sutton almost 10 years ago

Andy,

Do you know if this is for specific entries or just some? I've had a quick go on my machine with a random selection and it works.

Also can you try accessing those in a webbrowser and see what happens?

Do you have any symbols in your passwords (mine are VERY simplistic as I have never required anything secure), could be a problem with not properly encoding for URLs?

Adam

#4

Updated by Andy Brown almost 10 years ago

Ta for replying, happy to take offline if you prefer btw.

It's now for all entries, I cleared out the entire DB, so it repopulated with the user/pass pairs in the DB so at least that bit worked.

If I try in a browser it keeps prompting for the password, suggesting its not accepting the password for some reason.
BUT, If I then put in the superuser username/password the image loads.

So I've started looking into my users, two users for xbmc are defined (Passwords are plain too, literally just 5 characters username+5 chars password, nothing secure as its all on my lan).

The two user/pass files are:

cat .hts/tvheadend/accesscontrol/1
{
    "enabled": 1,
    "username": "xbmc",
    "password": "xxx",
    "comment": "New entry",
    "prefix": "0.0.0.0/0",
    "streaming": 1,
    "dvr": 1,
    "webui": 1,
    "admin": 1,
    "id": "1" 
}
cat .hts/tvheadend/accesscontrol/6
{
    "enabled": 1,
    "username": "xbmc2",
    "password": "xxx",
    "comment": "New entry",
    "prefix": "0.0.0.0/0",
    "streaming": 1,
    "dvr": 1,
    "dvrallcfg": 1,
    "webui": 1,
    "admin": 1,
    "id": "6" 
}

So from the above, xbmc2 does not work, xbmc does work. Any ideas how to debug as there must be something underlying buggy somewhere in auth method, possibly because two usernames very similar?

Any ideas!

#5

Updated by Adam Sutton almost 10 years ago

Actually that reminds of something someone mentioned about usernames, but I can't remember who and exactly in what context. Yeah not very enlightening!

#6

Updated by Adam Sutton almost 10 years ago

Well I tried that, my usernames were xbmc and xbmc2 with password = username + "test". I was able to successfully log into the UI as both users.

There are some odd things about the way the browsers send auth, so you might have to close the browser and re-open when you try switching accounts.

#7

Updated by Adam Sutton almost 10 years ago

Ah, and another things, those 401 errors are fairly normal, they will happen before each valid request because the way HTTP libs work is they request the URL, get a 401 error (with some details about the required auth) and then based on the response (if they have auth) can then make an authenticated request. So don't be fooled by the presence of 401 errors.

I've just double checked by doing wget requests for an imagecache URL using both usernames, no issue.

Adam

#8

Updated by Andy Brown almost 10 years ago

Hm very strange. Yes I was closing browsers between sessions to make sure I wasn't getting cached auth getting passed over, and I noticed the 401 initially on first hit, I then got a second 401 after adding my auth details so there does appear to be something causing the auth to fail on the tvh side.
(I've lost all my icons in xbmc now, so the db has fully updated to the correct ones with auth, and all are getting 401's now, but think we can eliminate the xbmc side now as I can reproduce with browser and/or wget too)

I'll put a bit of debugging on here and try it out, see if I can isolate what's going on with the auth mechanism.

#9

Updated by Andy Brown almost 10 years ago

Oh actually, I've just spotted something here, it might be even worse than we first thought! I suspect the HTSP isn't checking auth properly in some cases and just letting in valid usernames without password checking!

In my DB in xbmc I'm getting:

INSERT INTO "channels" VALUES(3,197,0,0,0,0,'http://xbmc2::9981/imagecache/59','BBC One HD',0,1,'client',0,1,101,'','',0,3);
INSERT INTO "channels" VALUES(4,580,0,0,0,0,'http://xbmc2::9981/imagecache/26','BBC Two England',0,1,'client',0,1,102,'','',0,4);

Notice how its username of xbmc2 and password of xbmc? So I checked in the pvr.hts config file that it matched:
<setting id="pass" value="xbmc" />
<setting id="user" value="xbmc2" />

So far so good, then I checked the access file in tvh:

{
"enabled": 1,
"username": "xbmc2",
"password": "xbmc2",
"comment": "New entry",
"prefix": "0.0.0.0/0",
"streaming": 1,
"dvr": 1,
"dvrallcfg": 1,
"webui": 1,
"admin": 1,
"id": "6"
}
Umm, so the pass should be 'xbmc2', but yet I'm sat watching the tv in xbmc thats sending 'xbmc' as the password!

But I also have a user:

{
"enabled": 1,
"username": "xbmc",
"password": "xbmc",
"comment": "New entry",
"prefix": "0.0.0.0/0",
"streaming": 1,
"dvr": 1,
"webui": 1,
"admin": 1,
"id": "1"
}

So I'm wondering, is TVH just simply checking for any valid username. Then any valid password, i.e. not checking the combination/pair just merely if it has a valid username and valid password somewhere?

#10

Updated by Adam Sutton almost 10 years ago

Hmmm,

You might not be entirely wrong, just investigating.

Adam

Also available in: Atom PDF