minidlna web interface no longer works in 1.3.1

Brought to you by: jmaggard

#346 minidlna web interface no longer works in 1.3.1

Milestone: v1.0 (example)

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2026-02-01

Created: 2022-06-17

Creator: Marc-Andre Lemburg

Private: No

The change in Commit [c21208] seems to have caused the minidlna web interface to no longer work.

Looking at the check on line 921, any Host header which includes letters a-z will cause the 404 to trigger and that's what I'm seeing when accessing the web interface.

Version 1.3.0 works fine. The bug was introduced in 1.3.1.

BTW: Many thanks for the great software !

Related

Commit: [c21208]

Discussion

Marc-Andre Lemburg - 2022-06-17

Wouldn't it be better to compare the Host header against the host and port entry from the config variable presentation_url to protect against DNS rebinding ?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Pavel Mlčoch - 2022-10-31

I have this problem with on Fedora 36 with rpmfusion-updates version 1.3.2.

I get this error on server:
mmedia2.pavkamlc.cz minidlnad[4805]: upnphttp.c:938: error: DNS rebinding attack suspected (Host: mmedia2.pavkamlc.cz:8200)

Client get this:
Bad Request
The request is invalid for this HTTP version.

With Fedora 36 + rpmfusion version 1.3.0 or RockyLinux + version 1.3.0 I don't have any problem.

Last edit: Pavel Mlčoch 2022-10-31

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

MobileHero - 2023-07-04

Bugging me as well. This definitely should be fixed finally (!)

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Rui Chen - 2023-09-03

Any update on this? Thanks!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Henk van der Laak - 2024-09-08

Workaround for fixed ip addresses, e.g. localhost:
Use http://127.0.0.1:8200/ instead of http://localhost:8200/

Last edit: Henk van der Laak 2024-09-08

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Kaplan - 2024-09-24

where do I need to put the ip?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Marc-Andre Lemburg - 2024-09-24

FWIW: The bug is still present in version 1.3.3.

👍
2

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

paul - 2025-05-04

FWIW: The bug is still present in version 1.3.3.

There was an attempt to "make it work" in 1.3.2

I don't really "get" the code - it errors if the request host/port was not numeric - but why?

AIUI DNS rebinding attacks are intended to fool clients into trusting malicious scripts by changing the source DNS record from a public IP address to an intranet (presumably RFC 1918) address between the time that the client downloads the 'script and checking whether it is trustworthy - I am not at all sure the ReadyMedia http server getting a request directed at a hostname rather than numeric IP address is the same thing at all.

Unless someone can enlighten me?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Vasileios - 2026-02-01

accessing minidlna via hostname:8200
still fails and produces a log
Feb 01 17:28:16 hostname minidlnad[771]: upnphttp.c:938: error: DNS rebinding attack suspected (Host: hostname:8200)

this is still reproducible on latest version 1.3.3. and trixie

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.