Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't count range download in download limit #35324

Closed
wants to merge 3 commits into from

Conversation

CarlSchwan
Copy link
Member

I tried to still count the first or the last range but this is not really reliable since we send two range 0- at the beginning (one for the preview and one for the video) and the last range xxxxxxxxx- is also called multiple times

@CarlSchwan CarlSchwan added the 3. to review Waiting for reviews label Nov 22, 2022
@CarlSchwan CarlSchwan self-assigned this Nov 22, 2022
@szaimen
Copy link
Contributor

szaimen commented Nov 22, 2022

The fix looks good to me in general. I wonder if we should revert #28227 now that this is fixed?

@nickvergessen nickvergessen removed their request for review November 22, 2022 10:28
@szaimen
Copy link
Contributor

szaimen commented Nov 22, 2022

@nickvergessen I think it would be good if you would also add your concerns on that PR :)

@nickvergessen
Copy link
Member

Yeah, I have nothing to say to this. This allows to trick out the download limit completely by just always downloading with range 0-. Even for text files, documents, images, etc. not only streamed items. Maybe it can be limited to that kind of resources?

@nickvergessen nickvergessen added this to the Nextcloud 26 milestone Nov 22, 2022
$this->emitShareAccessEvent($share, self::SHARE_DOWNLOAD);

// Ensure download limit is counted unless we are streaming a video or audio file
if (!isset($_SERVER['HTTP_RANGE']) || !$isVideoAudio) {

Check failure

Code scanning / Psalm

RedundantCondition Error

Operand of type true is always truthy
@skjnldsv
Copy link
Member

skjnldsv commented Nov 22, 2022

Yeah, I have nothing to say to this. This allows to trick out the download limit completely by just always downloading with range 0-. Even for text files, documents, images, etc. not only streamed items. Maybe it can be limited to that kind of resources?

@PVince81 since we talked about it this morning.
I think it's ok to not bind this to videos only. What about audio/* ? When does it stop? 🙈

The download limit by itself is not a perfect science and we made sure to communicate that. Anyone with decent skills can counter this and download the file then distribute it outside. Even with or without range protection. 🤷

@PVince81
Copy link
Member

I think it's ok if we limit it to anything that can be streamed in the browser.
Might not be open ended to streamed assets we don't know about yet, but should be ok for now I guess to say only audio or video.

@PVince81
Copy link
Member

also ok to not limit it with mime types

also note: a similar topic for viewer apps: nextcloud/files_pdfviewer#654 (comment)

// Single file download
$this->singleFileDownloaded($share, $share->getNode());
$this->singleFileDownloaded($share, $node);
$isVideoAutio = str_starts_with($node->getMimeType(), 'video/') || str_starts_with($node->getMimeType(), 'audio/');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$isVideoAutio = str_starts_with($node->getMimeType(), 'video/') || str_starts_with($node->getMimeType(), 'audio/');
$isVideoAudio = str_starts_with($node->getMimeType(), 'video/') || str_starts_with($node->getMimeType(), 'audio/');

// Single file download
$this->singleFileDownloaded($share, $share->getNode());
$this->singleFileDownloaded($share, $node);
$isVideoAutio = str_starts_with($node->getMimeType(), 'video/') || str_starts_with($node->getMimeType(), 'audio/');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$isVideoAutio = str_starts_with($node->getMimeType(), 'video/') || str_starts_with($node->getMimeType(), 'audio/');
$isVideoAudio = str_starts_with($node->getMimeType(), 'video/') || str_starts_with($node->getMimeType(), 'audio/');

Copy link
Contributor

@szaimen szaimen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need an answer on this:
#35324 (comment)

@skjnldsv
Copy link
Member

The fix looks good to me in general. I wonder if we should revert #28227 now that this is fixed?

Might be a good idea yes

@nickvergessen
Copy link
Member

Why that? The activity spam would just come back?
Also with the change in this PR we can't move the activity app over, as it would not create an event anymore when the viewer is used to look at it.

#28227 was only for activities, not for the download limit counter.

@PVince81
Copy link
Member

if possible, let's see if switching to a header "X-NC-Viewer" would work there and have the download limit app ignore such requests: nextcloud/files_pdfviewer#654 (comment)

@blizzz blizzz mentioned this pull request Feb 1, 2023
@skjnldsv skjnldsv mentioned this pull request Feb 23, 2023
@blizzz blizzz mentioned this pull request Mar 7, 2023
@blizzz blizzz modified the milestones: Nextcloud 26, Nextcloud 27 Mar 9, 2023
This was referenced May 3, 2023
$this->emitShareAccessEvent($share, self::SHARE_DOWNLOAD);

// Ensure download limit is counted unless we are streaming a video or audio file
if (!isset($_SERVER['HTTP_RANGE']) || !$isVideoAudio) {

Check failure

Code scanning / Psalm

RedundantCondition Error

Type false for $isVideoAudio is always falsy
This was referenced Mar 12, 2024
This was referenced Mar 20, 2024
@skjnldsv skjnldsv mentioned this pull request Mar 28, 2024
81 tasks
@skjnldsv skjnldsv modified the milestones: Nextcloud 29, Nextcloud 30 Mar 28, 2024
@skjnldsv skjnldsv added 2. developing Work in progress stale Ticket or PR with no recent activity and removed 3. to review Waiting for reviews labels Jul 27, 2024
This was referenced Jul 30, 2024
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
@skjnldsv skjnldsv closed this Aug 3, 2024
@skjnldsv skjnldsv reopened this Aug 4, 2024
@skjnldsv skjnldsv assigned skjnldsv and unassigned CarlSchwan Aug 4, 2024
@Altahrim Altahrim mentioned this pull request Aug 5, 2024
@skjnldsv skjnldsv removed the stale Ticket or PR with no recent activity label Aug 6, 2024
@skjnldsv skjnldsv modified the milestones: Nextcloud 30, Nextcloud 31 Aug 6, 2024
@skjnldsv skjnldsv closed this Aug 14, 2024
@skjnldsv skjnldsv removed this from the Nextcloud 31 milestone Aug 14, 2024
@szaimen szaimen deleted the fix/download-limit-streaming branch August 14, 2024 11:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2. developing Work in progress
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants