Besides that, security by obscurity is the worst possible form and barely qualifies as security at all.
In fact security by obscurity is not security at all. In this case it should be authenticated or to the very least to actually use a random string like a uuid. But, changing the root path does prevent it from exploiting. Not perfect but a temporary solution.
It’s also another place where the Jellyfin devs leave their users to their own devices when it comes to securing the server against malicious actors.
Another place? What else? You mean setting up you own server? That is in fact your responsibility.
ChairmanMeow@programming.dev 6 months ago
The Jellyfin devs have quite clearly outlined some of the issues in the setup guides, and others are detailed in issues on Github. They do work on it, but most bad code was inherited and they have limited time on their hands to fix it, preferably in a way that doesn’t instantly mess up everyone’s setups.
AmbiguousProps@lemmy.today 6 months ago
They could put a banner in the network settings warning users about these security issues while they get them fixed, that doesn’t require fixing any inherited code. In the GitHub issue linked, there’s at least one upset user because they had no idea this was even a problem.