-
-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsecured Dev Endpoints #923
Labels
Comments
Sorry, I don't read the mails often enough.
…On Fri, 15 Mar 2024, 14:20 jkhsjdhjs, ***@***.***> wrote:
Some development endpoints don't require ROLE_ADMIN and may be accessed
by anyone:
- /dev/crash may be used to crash any publicly accessible nzbhydra2
instance,
- /dev/testAddToSonarr is probably less problematic, but it still
shouldn't be accessible without login.
https://github.com/theotherp/nzbhydra2/blob/master/core/src/main/java/org/nzbhydra/DevEndpoint.java
I wrote a mail regarding this issue at first, as it has some abuse
potential. However, I didn't receive a reply in 2 weeks, which is why I'm
creating this issue now.
—
Reply to this email directly, view it on GitHub
<#923>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADNUA6PPSJDCYEO2SPDTRYTYYLYR3AVCNFSM6AAAAABEX72KHWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGE4DQNJQGE4DCOI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Thanks for the report, I've added required admin access and additionally made the crash endpoint require a certain system property to be set. |
theotherp
added a commit
that referenced
this issue
Mar 18, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Some development endpoints don't require
ROLE_ADMIN
and may be accessed by anyone:/dev/crash
may be used to crash any publicly accessible nzbhydra2 instance,/dev/testAddToSonarr
is probably less problematic, but it still shouldn't be accessible without login.https://github.com/theotherp/nzbhydra2/blob/master/core/src/main/java/org/nzbhydra/DevEndpoint.java
I wrote a mail regarding this issue at first, as it has some abuse potential. However, I didn't receive a reply in 2 weeks, which is why I'm creating this issue now.
The text was updated successfully, but these errors were encountered: