-
Notifications
You must be signed in to change notification settings - Fork 39
Security implications
This application is insecure by virtue of design. Since there is only one set of credentials for XBMCs API and the only way to authenticate from a media player (such as VLC) is by passing the credentials in the URL. You can avoid exposing the actual API and API credentials to your users by configuring a proxy location, but that exposes the XBMC virtual filesystem on an authentication-less URL. Thus, if you use a proxy location, you should specify a non-guessable one so that outsiders can't accidentally gain access to your media files.
Regardless of whether you use a reverse proxy or not, your smb:// login credentials will be visible in the URLs generated by the application. If this is a concern you should consider mounting the network share in your OS instead of via XBMC.