[mythtv-users] No upcoming recordings just spurious Never Record?

[Michael T. Dean]

On 04/07/2015 12:00 PM, Karl Newman wrote:
> On Tue, Apr 7, 2015 at 8:04 AM, Michael T. Dean wrote:
>> And, if anyone wants to look at the MythWeb code to see why it failed to
>> detect the bot, here's the commit that added that code (meaning a good
>> start to finding the specific code to review):
>>
>> https://github.com/MythTV/mythweb/commit/9633dbbe
>>
>> So, is it just me (and my total lack of PHP skillz) or does it seem the
>> haystack and needle might be transposed in lockdown.php? If so, that would
>> explain why TTBOMK the lockdown has never actually triggered since it was
>> added (as I'm nearly positive that once it does so, we'll get messages from
>> users asking why they're locked out of MythWeb--as few are likely to look
>> in the MythWeb README when in a panic--and I've never yet seen a question
>> about "resetting" the lockdown since the feature was added in Jun 2008).
>>
>> Anyway, perhaps with the code reference, someone can find the haystack in
>> the needle.
> Yep, that looks like you found it. I've explored the mythweb codebase a bit
> and I wasn't even aware of that function/ability. Since the trigger
> conditions were wrong it was apparently never tested, so proceed with
> caution if you want to enable it.

It's always enabled--just won't ever trigger unless the UA is just plain 
"bot" or similar, which probably would never happen in the real world.  
That said, it could be used as a DoS attack (or would it be a "DoS 
favor", since it would be protecting an unprotected MythWeb from someone 
who wanted to do worse--like mark every upcoming recording to Never 
Record or like deleting every recording and/or rule or ...).

The only way the feature is disabled is if you explicitly set an Apache 
environment variable to disable it (and, TTBOMK, no distro does that, 
and I'm guessing users haven't done that for themselves).

Mike