Icecast - Jan 2024 - Public stats on beta

Good morning,

On Sun, 2024-01-21 at 10:39 +0000, TDAS wrote:
> Can anyone tell me why?/admin/publicstats?is unprotected? And how I
> go about changing that!?
> 
> I don?t understand why it would be accessible by anyone without
> authenticating when it is under?/admin/???
The endpoint is meant to be a replacement for /status-json.xsl which it
deprecates.

The admin/-namespace is basically everything that is not user provided.
It might not be the best name, but it's called that for historical
reasons?.

Endpoints in the admin/-namespace are subject to normal access control
(and have always been). For example mount specific endpoints have
always been available with the source credentials as well by default.
And the buildm3u endpoint has always been accessible to anyone (as it
is useless otherwise).

Access to those endpoints can be controlled using the normal
allow/deny-admin options, using "publicstats", and
"publicstats.json"
as commands.

Please also note that the different stats view are also subject to some
content filtering logic. So you'll find that depending on which of the
endpoints you access and depending on your used credentials you will
have access to different data.


For more details see:
https://wiki.xiph.org/Icecast_Server/2.5_Authentication


With best regards,

-- 
Philipp Schafft (CEO/Gesch?ftsf?hrer)
Telephone:???????????+49.3535 490 17 92
Website:?????????????https://www.loewenfelsen.net/
Follow us:???????????https://www.linkedin.com/company/loewenfelsen/
Gesch?ftsf?hrer/CEO: Philipp Schafft

L?wenfelsen UG (haftungsbeschr?nkt)?????Registration number:
Bickinger Stra?e 21?????????????????????HRB 12308 CB
04916 Herzberg (Elster)?????????????????VATIN/USt-ID:
Germany?????????????????????????????????DE305133015

Yeeek. That?s a lot of options :) 

As someone who is pretty savvy but has only ever left Icecast authentication at
the defaults, are there any examples, as I need to get it turned off pretty
quickly.

Also, as there is no ?publicstats? in the admin dir, I?m guessing it is aliased
somewhere. A grep finds:

src/acl.c:    acl_set_admin_str(ret, ACL_POLICY_ALLOW,
"buildm3u,publicstats,publicstats.json");
src/admin.c:#define PUBLICSTATS_RAW_REQUEST             "publicstats"
src/admin.c:#define PUBLICSTATS_JSON_REQUEST           
"publicstats.json"
src/admin.c:    { PUBLICSTATS_RAW_REQUEST,              ADMINTYPE_HYBRID,      
ADMIN_FORMAT_RAW,           ADMINSAFE_SAFE,     command_public_stats, NULL},
src/admin.c:    { PUBLICSTATS_JSON_REQUEST,             ADMINTYPE_HYBRID,      
ADMIN_FORMAT_JSON,          ADMINSAFE_SAFE,     command_public_stats, NULL},

?but not sure if I should start messing around in ?c? files. I?m a js guy ;) 


> On 21 Jan 2024, at 11:03, Philipp Schafft <phschafft at
de.loewenfelsen.net> wrote:
> 
> Good morning,
> 
> On Sun, 2024-01-21 at 10:39 +0000, TDAS wrote:
>> Can anyone tell me why /admin/publicstats is unprotected? And how I
>> go about changing that!?
>> 
>> I don?t understand why it would be accessible by anyone without
>> authenticating when it is under /admin/ ??
> 
> The endpoint is meant to be a replacement for /status-json.xsl which it
> deprecates.
> 
> The admin/-namespace is basically everything that is not user provided.
> It might not be the best name, but it's called that for historical
> reasons?.
> 
> Endpoints in the admin/-namespace are subject to normal access control
> (and have always been). For example mount specific endpoints have
> always been available with the source credentials as well by default.
> And the buildm3u endpoint has always been accessible to anyone (as it
> is useless otherwise).
> 
> Access to those endpoints can be controlled using the normal
> allow/deny-admin options, using "publicstats", and
"publicstats.json"
> as commands.
> 
> Please also note that the different stats view are also subject to some
> content filtering logic. So you'll find that depending on which of the
> endpoints you access and depending on your used credentials you will
> have access to different data.
> 
> 
> For more details see:
> https://wiki.xiph.org/Icecast_Server/2.5_Authentication
> 
> 
> With best regards,
> 
> -- 
> Philipp Schafft (CEO/Gesch?ftsf?hrer)
> Telephone:           +49.3535 490 17 92
> Website:             https://www.loewenfelsen.net/
> Follow us:           https://www.linkedin.com/company/loewenfelsen/
> Gesch?ftsf?hrer/CEO: Philipp Schafft
> 
> L?wenfelsen UG (haftungsbeschr?nkt)     Registration number:
> Bickinger Stra?e 21                     HRB 12308 CB
> 04916 Herzberg (Elster)                 VATIN/USt-ID:
> Germany                                 DE305133015
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast