Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't count range download in download limit #35324

Closed
wants to merge 3 commits into from
Closed

Don't count range download in download limit #35324

wants to merge 3 commits into from

Conversation

CarlSchwan
Copy link
Member

I tried to still count the first or the last range but this is not really reliable since we send two range 0- at the beginning (one for the preview and one for the video) and the last range xxxxxxxxx- is also called multiple times

@CarlSchwan CarlSchwan added the 3. to review Waiting for reviews label Nov 22, 2022
@CarlSchwan CarlSchwan self-assigned this Nov 22, 2022
@szaimen
Copy link
Contributor

szaimen commented Nov 22, 2022

The fix looks good to me in general. I wonder if we should revert #28227 now that this is fixed?

@nickvergessen nickvergessen removed their request for review November 22, 2022 10:28
@szaimen
Copy link
Contributor

szaimen commented Nov 22, 2022

@nickvergessen I think it would be good if you would also add your concerns on that PR :)

@nickvergessen
Copy link
Member

Yeah, I have nothing to say to this. This allows to trick out the download limit completely by just always downloading with range 0-. Even for text files, documents, images, etc. not only streamed items. Maybe it can be limited to that kind of resources?

@nickvergessen nickvergessen added this to the Nextcloud 26 milestone Nov 22, 2022
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 22, 2022
View reviewed changes
apps/files_sharing/lib/Controller/ShareController.php
$this->emitShareAccessEvent($share, self::SHARE_DOWNLOAD);

// Ensure download limit is counted unless we are streaming a video or audio file
if (!isset($_SERVER['HTTP_RANGE']) || !$isVideoAudio) {

Check failure

Code scanning / Psalm

RedundantCondition Error

Operand of type true is always truthy
@skjnldsv
Copy link
Member

skjnldsv commented Nov 22, 2022
edited
Loading

Yeah, I have nothing to say to this. This allows to trick out the download limit completely by just always downloading with range 0-. Even for text files, documents, images, etc. not only streamed items. Maybe it can be limited to that kind of resources?

@PVince81 since we talked about it this morning.
I think it's ok to not bind this to videos only. What about audio/* ? When does it stop? 🙈

The download limit by itself is not a perfect science and we made sure to communicate that. Anyone with decent skills can counter this and download the file then distribute it outside. Even with or without range protection. 🤷

@PVince81
Copy link
Member

I think it's ok if we limit it to anything that can be streamed in the browser.
Might not be open ended to streamed assets we don't know about yet, but should be ok for now I guess to say only audio or video.

@PVince81
Copy link
Member

also ok to not limit it with mime types

also note: a similar topic for viewer apps: nextcloud/files_pdfviewer#654 (comment)

skjnldsv
skjnldsv reviewed Nov 22, 2022
View reviewed changes
apps/files_sharing/lib/Controller/ShareController.php
// Single file download
$this->singleFileDownloaded($share, $share->getNode());
$this->singleFileDownloaded($share, $node);
$isVideoAutio = str_starts_with($node->getMimeType(), 'video/') || str_starts_with($node->getMimeType(), 'audio/');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$isVideoAutio = str_starts_with($node->getMimeType(), 'video/') || str_starts_with($node->getMimeType(), 'audio/');
$isVideoAudio = str_starts_with($node->getMimeType(), 'video/') || str_starts_with($node->getMimeType(), 'audio/');

skjnldsv
skjnldsv reviewed Nov 22, 2022
View reviewed changes
apps/files_sharing/lib/Controller/ShareController.php
// Single file download
$this->singleFileDownloaded($share, $share->getNode());
$this->singleFileDownloaded($share, $node);
$isVideoAutio = str_starts_with($node->getMimeType(), 'video/') || str_starts_with($node->getMimeType(), 'audio/');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$isVideoAutio = str_starts_with($node->getMimeType(), 'video/') || str_starts_with($node->getMimeType(), 'audio/');
$isVideoAudio = str_starts_with($node->getMimeType(), 'video/') || str_starts_with($node->getMimeType(), 'audio/');

szaimen
szaimen requested changes Nov 22, 2022
View reviewed changes
Copy link
Contributor

@szaimen szaimen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need an answer on this:
#35324 (comment)

@skjnldsv
Copy link
Member

The fix looks good to me in general. I wonder if we should revert #28227 now that this is fixed?

Might be a good idea yes

@nickvergessen
Copy link
Member

Why that? The activity spam would just come back?
Also with the change in this PR we can't move the activity app over, as it would not create an event anymore when the viewer is used to look at it.

#28227 was only for activities, not for the download limit counter.

@PVince81
Copy link
Member

if possible, let's see if switching to a header "X-NC-Viewer" would work there and have the download limit app ignore such requests: nextcloud/files_pdfviewer#654 (comment)

@blizzz blizzz mentioned this pull request Feb 1, 2023
Merged
@skjnldsv skjnldsv mentioned this pull request Feb 23, 2023
Merged
@blizzz blizzz mentioned this pull request Mar 7, 2023
Merged
@blizzz blizzz modified the milestones: Nextcloud 26, Nextcloud 27 Mar 9, 2023
This was referenced May 3, 2023
Merged
Closed
Merged
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 27, 2024
View reviewed changes
apps/files_sharing/lib/Controller/ShareController.php
$this->emitShareAccessEvent($share, self::SHARE_DOWNLOAD);

// Ensure download limit is counted unless we are streaming a video or audio file
if (!isset($_SERVER['HTTP_RANGE']) || !$isVideoAudio) {

Check failure

Code scanning / Psalm

RedundantCondition Error

Type false for $isVideoAudio is always falsy
This was referenced Mar 12, 2024
Merged
Merged
Merged
This was referenced Mar 20, 2024
Merged
Merged
@skjnldsv skjnldsv mentioned this pull request Mar 28, 2024
Merged
81 tasks
@skjnldsv skjnldsv modified the milestones: Nextcloud 29, Nextcloud 30 Mar 28, 2024
@skjnldsv skjnldsv added 2. developing Work in progress stale Ticket or PR with no recent activity and removed 3. to review Waiting for reviews labels Jul 27, 2024
This was referenced Jul 30, 2024
Merged
Merged
@CarlSchwan @AndyScherzinger
Don't count range download in download limit
9dcf900 
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
@CarlSchwan @AndyScherzinger
Ensure download is counted for non video files
4f84b32 
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
@CarlSchwan @AndyScherzinger
Also take in count audio files
3cbfab6 
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
@skjnldsv skjnldsv closed this Aug 3, 2024
@skjnldsv skjnldsv reopened this Aug 4, 2024
@skjnldsv skjnldsv assigned skjnldsv and unassigned CarlSchwan Aug 4, 2024
@Altahrim Altahrim mentioned this pull request Aug 5, 2024
Merged
@skjnldsv skjnldsv removed the stale Ticket or PR with no recent activity label Aug 6, 2024
@skjnldsv skjnldsv modified the milestones: Nextcloud 30, Nextcloud 31 Aug 6, 2024
@skjnldsv skjnldsv closed this Aug 14, 2024
@skjnldsv skjnldsv removed this from the Nextcloud 31 milestone Aug 14, 2024
@szaimen szaimen deleted the fix/download-limit-streaming branch August 14, 2024 11:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skjnldsv skjnldsv skjnldsv requested changes

@szaimen szaimen szaimen requested changes

@PVince81 PVince81 Awaiting requested review from PVince81

Assignees

@skjnldsv skjnldsv

Labels
2. developing Work in progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@CarlSchwan @szaimen @nickvergessen @skjnldsv @PVince81 @blizzz