NEWA - TinyURL and security

[NumberFive]

Hi,

Has anyone considered the security of the TinyURLs in NEWA? Are they created on demand when a webpage is viewed, or for every recording in the library in advance?

Is there a way to switch them off? I like the idea, but I'd rather it be done by the NEWA server on my machine and not an external service (e.g. http://<myip>:2846/Tiny.aspx?<small_url>). I worry about links to my webserver on public sites.

Thanks for advice

[raceviper13]

I agree with NumberFive...

[whurlston]

NEWA is fully open source so you could write your own Tiny.aspx that does what you want. You will need to keep track of the small url you create (so you don't reuse them) and the files they represent.

[NumberFive]

Is there an easy way to disable the present TinyURL generation?

[UncleJohnsBand]

Is there an easy way to disable the present TinyURL generation?

There is currently no way to disable the generation.

The use of TinyURL and/or other such services is a general accepted practice. By default you need to log into NEWA from external networks to access your server so there is security to prevent access to your site if the generate URL's are exposed publically.

This is a good example of "not reinventing the wheel" since the effort to develop and maintain a self-hosted solution outweighs the usage of a publically available service.

As whurlston mentioned you can roll-your-own Tiny.aspx and develop out a solution that meets your needs.

[mvallevand]

As whurlston mentioned you can roll-your-own Tiny.aspx and develop out a solution that meets your needs.

As a quick hack for the most paranoid a user could use notepad edit to web\App_Code\Download_aspx.cs

Code:

public string MakeTinyUrl(string Url)
        {
            [color=#FF0000][b]return Url;[/b][/color]
            Logger.Info("TinyUrl passed in Url: " + Url);
...
        public string MakeTinyUrl2(string Url)
        {
            [color=#FF0000][b]return Url;[/b][/color]
            Logger.Info("TinyUrl2 passed in Url: " + Url);
...

Then while remote the user could use the browser copy to either access directly or paste it into their favourite url shortener.

Martin

[NumberFive]

Hi mvallevand,

Thanks, I'll try this in the morning.

The issue I have is that I don't like the idea of a lot of public TinyURL links pointed at my media centre PC's open ports. This seems a rather unnecessary security risk since it is basically throwing an advertisement up on the internet saying there is something interesting at said address. I guess a port scanner would find it anyway, but why add the extra risk. I thought TinyURLs were really only of benefit when someone had to manually type an address in? Much better in my mind would be a button to copy the long URL to the clipboard. About the only use I have for it is to copy it into VLC.

Just my two cents. NEWA is an excellent piece of software!

[whurlston]

I thought TinyURLs were really only of benefit when someone had to manually type an address in?

Twitter was the main driving force behind tiny urls. Some URLs could quickly eat the limited character length of a twitter post.

[UncleJohnsBand]

Attached is a patch that allows you to disable TinyURL generation.

Stop NPVR Service.
Load the patch.
Start NPVR Service.

This will create a new element in config-web.xml <TinyURLEnabled> defaulted to True.

Change value to False.

Stop/Start NPVR server.

Edit: The Tiny URL functionality was added on 12/31/2009 in EWA carried forward into NEWA. No issues reported from anyone in regards to a security hack due to data found on Tinyurl.com...

[NumberFive]

Hi UncleJohnsBand,

That's fantastic, thank you very much for this patch!

I know it's paranoia, but in my day job I'm used to seeing remote PCs being port scanned and brute forced, so I'm keen to reduce the exposure of my home PCs.