HTTP API Bugs?

Dev Community Dev/API Corner
1
Missing content nodes, search syntax
I've been playing around with the HTTP API and I found a few maybe-bugs.

1. It's really nice how each level of the tree (e.g., /library/sections) links to the next level of the tree (e.g., the sections) but it seems that at least a few things are missing. library/recentlyAdded and library/sections/2/timeline are two that I've noticed while inspecting the manage web UI. Are these going to be added to the response tree in the future? That is, will a request to "library" ever have "recentlyAdded" as a child Directory? Are there others that I'm missing?

2. Single quotes break searches -> http://host:32400/search?type=2&query=foo%27bar

<br />
Apr 19, 2012 19:58:01 [0xb0699000] DEBUG - Query: foo'bar<br />
Apr 19, 2012 19:58:01 [0xb0699000] ERROR - SQLITE3:b030ad08, 1, near "bar": syntax error


I guess search is using a case insensitive LIKE clause considering % works as a wildcard. Is the caller of the API expected to escape invalid SQL characters?

------

Incidentally, is there any documentation for the HTTP API? I feel like I'm probably missing some neat features. For instance, I've come across adding "type=X" to the search to limit to episodes or shows, but would love to be able to limit to specific fields (title, description, etc).

Thanks,
David
2

Had a chance to think about it and the combination of forwarding port 32400 for iOS access, and an unauthenticated API leads to a pretty easy SQL injection target.



I don’t know enough about myPlex to know if it exposes the server, nor do I know if sqlite allows any kind of fancy scripting capabilities that would expose the system in general.



I guess the mitigating factors are:

  1. the number of exposed servers is probably quite low (assuming myPlex isn’t exposing servers)
  2. if sqlite doesn’t offer any ability to get down to the OS (or doesn’t have any exploits of its own) the worse that someone could do is delete your Plex data. Sad, certainly, but not terrible.



    All told, perhaps not terribly worrisome (as far as I know), but something to keep in mind…
3


Just fixed the missing /recentlyAdded, thanks :)

As for "timeline" we can't expose that b/c subdirectories off a library section are taken as filters, so all clients would add a new "timeline" entry which would look weird and wouldn't work.



Thanks very much, fixed that too! We took care of escaping the quote, we just did it wrong.



Very sadly, not yet. The best way to see what's available is likely what you've been doing already, watching the log while using a client :)
4


Great, thanks. I had written some code to nicely walk the tree and was sad about the prospect of special casing.

I'm not sure what timeline is so I don't know how or if I'll handle it, just yet.



That's good news. :) I was worried about a visit from Little Bobby Tables. (http://xkcd.com/327/)



Ok, no worries. It's mostly self documenting, anyhow (which is pretty neat, btw) and I can get the rest from logs, etc.

I do have one question if you have the time. Aside from "type" are there any other search filters available?

Thanks!
5

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.