[mythtv-users] No upcoming recordings just spurious Never Record?
Michael T. Dean
mtdean at thirdcontact.com
Tue Apr 7 16:54:39 UTC 2015
On 04/07/2015 12:49 PM, Michael T. Dean wrote:
> On 04/07/2015 12:00 PM, Karl Newman wrote:
>> On Tue, Apr 7, 2015 at 8:04 AM, Michael T. Dean wrote:
>>> And, if anyone wants to look at the MythWeb code to see why it
>>> failed to
>>> detect the bot, here's the commit that added that code (meaning a good
>>> start to finding the specific code to review):
>>>
>>> https://github.com/MythTV/mythweb/commit/9633dbbe
>>>
>>> So, is it just me (and my total lack of PHP skillz) or does it seem the
>>> haystack and needle might be transposed in lockdown.php? If so, that
>>> would
>>> explain why TTBOMK the lockdown has never actually triggered since
>>> it was
>>> added (as I'm nearly positive that once it does so, we'll get
>>> messages from
>>> users asking why they're locked out of MythWeb--as few are likely to
>>> look
>>> in the MythWeb README when in a panic--and I've never yet seen a
>>> question
>>> about "resetting" the lockdown since the feature was added in Jun
>>> 2008).
>>>
>>> Anyway, perhaps with the code reference, someone can find the
>>> haystack in
>>> the needle.
>> Yep, that looks like you found it. I've explored the mythweb codebase
>> a bit
>> and I wasn't even aware of that function/ability. Since the trigger
>> conditions were wrong it was apparently never tested, so proceed with
>> caution if you want to enable it.
>
> It's always enabled--just won't ever trigger unless the UA is just
> plain "bot" or similar, which probably would never happen in the real
> world. That said, it could be used as a DoS attack (or would it be a
> "DoS favor", since it would be protecting an unprotected MythWeb from
> someone who wanted to do worse--like mark every upcoming recording to
> Never Record or like deleting every recording and/or rule or ...).
>
> The only way the feature is disabled is if you explicitly set an
> Apache environment variable to disable it (and, TTBOMK, no distro does
> that, and I'm guessing users haven't done that for themselves).
Oh, and FWIW, the functionality was tested--just not against a
real-world bot. I'm guessing that when he tested it, Rob just used a UA
of "bot"--which did match and proved the functionality (just not the
detection)--instead of using a full UA, like:
Mozilla/5.0(compatible; MJ12bot/v1.4.5;
http://www.majestic12.co.uk/bot.php?+)
Mike
More information about the mythtv-users
mailing list