Custom Query (2449 matches)

deluged seem to allow connections from anyone on localhost; this is obviously not secure if there are more than one user on a system. For example:

1. Create a torrent with a file called ".profile", upload to any tracker.
2. Connect to the deluge daemon that another user is running.
3. Change the download folder to the user $HOME, and add the torrent.
4. The .profile can contain anything, and will be executed when the user logs in next time, for example: alias sudo=/home/hacker/sudo_and_log_password

It can also be a security risk even in a single-user setting, if other servers are running (as unprivileged users) on the same system that are less secure and can be hacked (http, ftp, etc).

Some sort of authentication is needed.

When suspended and followed by torrent initialization again, Deluge sends the number of data as if the torrent starts to download from the beginning again.

deluge start with logging in debug mode enabled, and with the output set to console. This is bad because stdout and stderr output are redirected to .xsession-errors by default when you lunch deluge from the desktop (from the menu, a desktop icon, downloading a .torrent, etc).

The logger should only report messages of level ERROR or higher by default, and should be an option to change this from the command line.