starred/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent.git synced 2026-03-02 22:57:32 -05:00
Code Issues 2.6k Projects Packages Wiki Activity

qBt not checking if files exist when using Seed mode(Skip hash check) #9616

New issue
Closed
opened 2026-02-21 20:17:07 -05:00 by deekerman · 34 comments
deekerman commented 2026-02-21 20:17:07 -05:00
Owner
Copy link

Originally created by @ghost on GitHub (Jan 8, 2020).

qBittorrent version and Operating System

4.2.1, Win10

What is the problem

Qbt does not check if destination file exists when using seed mode. It directly goes into seeding mode even if you select an empty directory. One could select a wrong directory when adding a file for re-seeding or cross-seeding but qBt won’t complain that the files are missing. It continues to be in seeding state unless someone tries to leech the torrent from that user.

This also has some potential cheating implications. One could get seed hours/seedbonus in private trackers without having the actual files in their disk.

What is the expected behavior

Check if the file exists before going into seeding mode.

Steps to reproduce

Just add some torrent in qBt with skip hash check box ticked. (make sure that torrent has no leecher. Otherwise it will reset back to 0%).

Originally created by @ghost on GitHub (Jan 8, 2020). ### qBittorrent version and Operating System 4.2.1, Win10 ### What is the problem Qbt does not check if destination file exists when using seed mode. It directly goes into seeding mode even if you select an empty directory. One could select a wrong directory when adding a file for re-seeding or cross-seeding but qBt won’t complain that the files are missing. It continues to be in seeding state unless someone tries to leech the torrent from that user. This also has some potential cheating implications. One could get seed hours/seedbonus in private trackers without having the actual files in their disk. ### What is the expected behavior Check if the file exists before going into seeding mode. ### Steps to reproduce Just add some torrent in qBt with skip hash check box ticked. (make sure that torrent has no leecher. Otherwise it will reset back to 0%).
deekerman 2026-02-21 20:17:07 -05:00
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@FranciscoPombal commented on GitHub (Jan 13, 2020):

Well, this part seems correct:

When a leecher connects and read piece is called, libtorrent knows file doesn’t exists so it starts downloading it again.

The problem is going directly into seeding state in the first place.

@FranciscoPombal commented on GitHub (Jan 13, 2020): Well, this part seems correct: > When a leecher connects and read piece is called, libtorrent knows file doesn’t exists so it starts downloading it again. The problem is going directly into seeding state in the first place.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@glassez commented on GitHub (Jan 13, 2020):

Well, can someone to summarize the problem?

  1. What's the typical use case of "Skip Hash Check" option?
  2. What can cause the problem?
  3. How "Skip Hash Check" should behave?
@glassez commented on GitHub (Jan 13, 2020): Well, can someone to summarize the problem? 1. What's the typical use case of "Skip Hash Check" option? 2. What can cause the problem? 3. How "Skip Hash Check" should behave?
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 13, 2020):

  1. Case# 1. I’ve already downloaded a torrent from one tracker and want to seed that in another. I don’t want qBit to recheck the hash when adding the torrent from other tracker. Remember, info hashes can be different across trackers so trackers won’t merge in all use cases. A new torrent will get added and recheck will commence unless skip hash chk is used.
    Case#2. I’ve removed a torrent from qBit, want to re-seed it. Don’t want qbit to recheck.
    Case #3. I’m uploading a torrent to a private tracker. After uploading I’ve to redownload the metafile to add passkey. I won’t like to waste time in qBit rechecking the file again.

  2. Tick skip hash check when adding torrent.

  3. When that option is checked during adding torrent, check if the files already exist in the directory or not. If not present, don’t apply skip hash check, instead add that torrent as usual Without skipping hash checking.

@ghost commented on GitHub (Jan 13, 2020): 1. Case# 1. I’ve already downloaded a torrent from one tracker and want to seed that in another. I don’t want qBit to recheck the hash when adding the torrent from other tracker. Remember, info hashes can be different across trackers so trackers won’t merge in all use cases. A new torrent will get added and recheck will commence unless skip hash chk is used. Case#2. I’ve removed a torrent from qBit, want to re-seed it. Don’t want qbit to recheck. Case #3. I’m uploading a torrent to a private tracker. After uploading I’ve to redownload the metafile to add passkey. I won’t like to waste time in qBit rechecking the file again. 2. Tick skip hash check when adding torrent. 3. When that option is checked during adding torrent, check if the files already exist in the directory or not. If not present, don’t apply skip hash check, instead add that torrent as usual Without skipping hash checking.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@glassez commented on GitHub (Jan 13, 2020):

Remember, info hashes can be different across trackers so trackers won’t merge in all use cases.

IIRC, we are talking about checking of files. Info hash has nothing to do here.

Tick skip hash check when adding torrent.

Do you mean the case when the user did this accidentally?

If not present, don’t apply skip hash check, instead add that torrent as usual Without skipping hash checking.

What's about the case when user doesn't really want to download anything? E.g. it has the torrent content previously downloaded (but files were renamed that time).

@glassez commented on GitHub (Jan 13, 2020): >Remember, info hashes can be different across trackers so trackers won’t merge in all use cases. IIRC, we are talking about checking of files. Info hash has nothing to do here. >Tick skip hash check when adding torrent. Do you mean the case when the user did this accidentally? > If not present, don’t apply skip hash check, instead add that torrent as usual Without skipping hash checking. What's about the case when user doesn't really want to download anything? E.g. it has the torrent content previously downloaded (but files were renamed that time).
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@FranciscoPombal commented on GitHub (Jan 13, 2020):

@an0n666 even with the changes you are suggesting, a cheater could just create the correct folder structure + 0-size files with the correct names, and qBittorrent would go directly into seeding mode when "skip hash check" is on.

Perhaps it is better to get rid of the option altogether? It would be kind of inconvenient, especially for case 3.

But the metafile redownload in step 3 can generally be avoided as far as I know by setting the correct passkey and source flag (-s flag in mktorrent) from the start.

As for the other 2 cases, you'd just have to live with the recheck, which means a little extra "downtime".

@FranciscoPombal commented on GitHub (Jan 13, 2020): @an0n666 even with the changes you are suggesting, a cheater could just create the correct folder structure + 0-size files with the correct names, and qBittorrent would go directly into seeding mode when "skip hash check" is on. Perhaps it is better to get rid of the option altogether? It would be kind of inconvenient, especially for case 3. But the metafile redownload in step 3 can generally be avoided as far as I know by setting the correct passkey and source flag (`-s` flag in `mktorrent`) from the start. As for the other 2 cases, you'd just have to live with the recheck, which means a little extra "downtime".
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@glassez commented on GitHub (Jan 13, 2020):

Maybe it's better to go into "Missing files" state if option is enabled but there are no files exist?

@glassez commented on GitHub (Jan 13, 2020): Maybe it's better to go into "Missing files" state if option is enabled but there are no files exist?
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@FranciscoPombal commented on GitHub (Jan 13, 2020):

@glassez

Maybe it's better to go into "Missing files" state if option is enabled but there are no files exist?

Would not stop the potential cheating issue raised in the OPthe first comment, see my comment above.

@FranciscoPombal commented on GitHub (Jan 13, 2020): @glassez > Maybe it's better to go into "Missing files" state if option is enabled but there are no files exist? Would not stop the potential cheating issue raised in the ~OP~the first comment, see my comment above.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@glassez commented on GitHub (Jan 13, 2020):

Would not stop the potential cheating issue raised in the OP, see my comment above.

Sorry, I answered another comment.
BTW, I don't intend to fight with cheeters. F there is valid use case of this option I would fix it, otherwise let's remove it totally.

@glassez commented on GitHub (Jan 13, 2020): >Would not stop the potential cheating issue raised in the OP, see my comment above. Sorry, I answered another comment. BTW, I don't intend to fight with cheeters. F there is valid use case of this option I would fix it, otherwise let's remove it totally.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@FranciscoPombal commented on GitHub (Jan 13, 2020):

Sorry, I answered another comment.
BTW, I don't intend to fight with cheeters. F there is valid use case of this option I would fix it, otherwise let's remove it totally.

If you ignore the cheating issue, all 3 cases mentioned above are legitimate uses of the feature. However, there should be a simple check for missing files and, like you mentioned:

Maybe it's better to go into "Missing files" state if option is enabled but there are no files exist?

Yep.

@FranciscoPombal commented on GitHub (Jan 13, 2020): > Sorry, I answered another comment. > BTW, I don't intend to fight with cheeters. F there is valid use case of this option I would fix it, otherwise let's remove it totally. If you ignore the cheating issue, all 3 cases mentioned above are legitimate uses of the feature. However, there should be a simple check for missing files and, like you mentioned: > Maybe it's better to go into "Missing files" state if option is enabled but there are no files exist? Yep.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@glassez commented on GitHub (Jan 13, 2020):

If you ignore the cheating issue, all 3 cases mentioned above are legitimate uses of the feature. However, there should be a simple check for missing files and, like you mentioned

Well, then I want to hear more opinions about "cheating issue". Should we drop "Skip hash check" option or not?
@sledgehammer999, @Chocobo1, @thalieht?

@glassez commented on GitHub (Jan 13, 2020): >If you ignore the cheating issue, all 3 cases mentioned above are legitimate uses of the feature. However, there should be a simple check for missing files and, like you mentioned Well, then I want to hear more opinions about "cheating issue". Should we drop "Skip hash check" option or not? @sledgehammer999, @Chocobo1, @thalieht?
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 13, 2020):

But the metafile redownload in step 3 can generally be avoided as far as I know by setting the correct passkey and source flag (-s flag in mktorrent) from the start.

Some trackers add their own unique key to info hash so unless the metafile is redownloaded you cannot seed.
@FranciscoPombal

IIRC, we are talking about checking of files. Info hash has nothing to do here.

By different hash i meant if info hash is different then qBit treats them as different torrents. So the use case of skip hash checking applies when adding same torrents with different info hash

Do you mean the case when the user did this accidentally?

If they tick it knowingly but select a wrong directory.

What's about the case when user doesn't really want to download anything?>
E.g. it has the torrent content previously downloaded (but files were renamed that time).

Missing files thing would solve the issue.
@glassez

@ghost commented on GitHub (Jan 13, 2020): > But the metafile redownload in step 3 can generally be avoided as far as I know by setting the correct passkey and source flag (`-s` flag in `mktorrent`) from the start. > Some trackers add their own unique key to info hash so unless the metafile is redownloaded you cannot seed. @FranciscoPombal > IIRC, we are talking about checking of files. Info hash has nothing to do here. > By different hash i meant if info hash is different then qBit treats them as different torrents. So the use case of skip hash checking applies when adding same torrents with different info hash > Do you mean the case when the user did this accidentally? > If they tick it knowingly but select a wrong directory. > What's about the case when user doesn't really want to download anything?> E.g. it has the torrent content previously downloaded (but files were renamed that time). Missing files thing would solve the issue. @glassez
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@FranciscoPombal commented on GitHub (Jan 13, 2020):

Well, then I want to hear more opinions about "cheating issue".

Just to be clear, I am not claiming it is prevalent. In fact, I hadn't thought about it until now.
A really determined cheater will always find a way cheat. But this seems to make it too easy.

@FranciscoPombal commented on GitHub (Jan 13, 2020): > Well, then I want to hear more opinions about "cheating issue". Just to be clear, I am not claiming it is prevalent. In fact, I hadn't thought about it until now. A really determined cheater will always find a way cheat. But this seems to make it too easy.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 18, 2020):

Well, then I want to hear more opinions about "cheating issue".

Just to be clear, I am not claiming it is prevalent. In fact, I hadn't thought about it until now.
A really determined cheater will always find a way cheat. But this seems to make it too easy.

I think it doesn't matter if this issue is prevalent or not. A client by default should not have any feature which could be exploited so easily by a potential cheater. Like anyone could add a thousand torrents with skip hash check and seed those with zero effort and gain seedtime/seedbonus.
I understand that this issue is irrevalent for public tracker users but it's pretty critical for private trackers. This kind of exploitation could warrant a ban of Qbit from private trackers as well unless addressed properly.

@ghost commented on GitHub (Jan 18, 2020): > > Well, then I want to hear more opinions about "cheating issue". > > Just to be clear, I am not claiming it is prevalent. In fact, I hadn't thought about it until now. > A really determined cheater will always find a way cheat. But this seems to make it too easy. I think it doesn't matter if this issue is prevalent or not. A client by default should not have any feature which could be exploited so easily by a potential cheater. Like anyone could add a thousand torrents with skip hash check and seed those with zero effort and gain seedtime/seedbonus. I understand that this issue is irrevalent for public tracker users but it's pretty critical for private trackers. This kind of exploitation could warrant a ban of Qbit from private trackers as well unless addressed properly.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@glassez commented on GitHub (Jan 18, 2020):

So, should we just drop it out?

@glassez commented on GitHub (Jan 18, 2020): So, should we just drop it out?
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 19, 2020):

So, should we just drop it out?

If the feature can't be made more difficult to be exploited then it's better to drop it I guess.

@ghost commented on GitHub (Jan 19, 2020): > So, should we just drop it out? If the feature can't be made more difficult to be exploited then it's better to drop it I guess.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@glassez commented on GitHub (Jan 19, 2020):

If the feature can't be made more difficult to be exploited

It can more or less. But if it will be as expensive as a checking, it does not make sense.

@glassez commented on GitHub (Jan 19, 2020): >If the feature can't be made more difficult to be exploited It can more or less. But if it will be as expensive as a checking, it does not make sense.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 19, 2020):

If the feature can't be made more difficult to be exploited

It can more or less. But if it will be as expensive as a checking, it does not make sense.

I think we have a less expensive way of doing it. Currently If a peer connects and libtorrent calls read piece and fails, that torrent resets to 0%.
If a torrent is added using skip hash, we could call read piece on a randomly selected piece which would emulate the same situation as a leecher connecting and requesting a piece from the seeder. Since libtorrent will fail to read the piece it’ll reset back to 0%. We’ll be reading just one random piece so this will be the least expensive way.

@ghost commented on GitHub (Jan 19, 2020): > > If the feature can't be made more difficult to be exploited > > It can more or less. But if it will be as expensive as a checking, it does not make sense. I think we have a less expensive way of doing it. Currently If a peer connects and libtorrent calls read piece and fails, that torrent resets to 0%. If a torrent is added using skip hash, we could call read piece on a randomly selected piece which would emulate the same situation as a leecher connecting and requesting a piece from the seeder. Since libtorrent will fail to read the piece it’ll reset back to 0%. We’ll be reading just one random piece so this will be the least expensive way.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 19, 2020):

I'm talking about this http://libtorrent.org/reference-Core.html#read_piece()
to be precise.

@ghost commented on GitHub (Jan 19, 2020): I'm talking about this http://libtorrent.org/reference-Core.html#read_piece() to be precise.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@FranciscoPombal commented on GitHub (Jan 19, 2020):

I think we have a less expensive way of doing it. Currently If a peer connects and libtorrent calls read piece and fails, that torrent resets to 0%.
If a torrent is added using skip hash, we could call read piece on a randomly selected piece which would emulate the same situation as a leecher connecting and requesting a piece from the seeder. Since libtorrent will fail to read the piece it’ll reset back to 0%. We’ll be reading just one random piece so this will be the least expensive way.

This + ensuring the directory structure exists seems like it could be a very robust way of preventing cheating in this way.

@glassez @arvidn thoughts?

@FranciscoPombal commented on GitHub (Jan 19, 2020): > I think we have a less expensive way of doing it. Currently If a peer connects and libtorrent calls read piece and fails, that torrent resets to 0%. > If a torrent is added using skip hash, we could call read piece on a randomly selected piece which would emulate the same situation as a leecher connecting and requesting a piece from the seeder. Since libtorrent will fail to read the piece it’ll reset back to 0%. We’ll be reading just one random piece so this will be the least expensive way. This + ensuring the directory structure exists seems like it could be a very robust way of preventing cheating in this way. @glassez @arvidn thoughts?
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@arvidn commented on GitHub (Jan 19, 2020):

My recollection is that in seed-mode, all files are verified to exist and have at least the size they're supposed to have.
Oh, I guess this report is saying it isn't

@arvidn commented on GitHub (Jan 19, 2020): ~~My recollection is that in seed-mode, all files are verified to exist and have at least the size they're supposed to have.~~ Oh, I guess this report is saying it isn't
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@arvidn commented on GitHub (Jan 19, 2020):

@an0n666 you say "... libtorrent knows file doesn’t exists so it starts downloading it again. This is an unexpected behaviour."

When skipping hash checks, whether the files are verified to exist and have the correct size or not, there will always be a scenario where it turned out it wasn't seed. Maybe the files got corrupted or just weren't done downloading. If reverting to checking state is unexpected in that case, what behavior would you expect?

Libtorrent will still check the hash of each piece before uploading it to a peer, so under no circumstances will libtorrent upload corrupt data. In my mind that would be a serious problem.

Even though I agree that it would be reasonable to make sure all files exist and have the right size up-front, I don't really see why this is a problem. You use the word "exploited", what do you mean by that exactly? The swarm will not be fed corrupt data, so where's the exploit?

@arvidn commented on GitHub (Jan 19, 2020): @an0n666 you say "... libtorrent knows file doesn’t exists so it starts downloading it again. This is an unexpected behaviour." When skipping hash checks, whether the files are verified to exist and have the correct size or not, there will always be a scenario where it turned out it wasn't seed. Maybe the files got corrupted or just weren't done downloading. If reverting to checking state is unexpected in that case, what behavior would you expect? Libtorrent will still check the hash of each piece *before* uploading it to a peer, so under no circumstances will libtorrent upload corrupt data. In my mind *that* would be a serious problem. Even though I agree that it would be reasonable to make sure all files exist and have the right size up-front, I don't really see why this is a problem. You use the word "exploited", what do you mean by that exactly? The swarm will not be fed corrupt data, so where's the exploit?
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 19, 2020):

When skipping hash checks, whether the files are verified to exist and have the correct size or not, there will always be a scenario where it turned out it wasn't seed. Maybe the files got corrupted or just weren't done downloading. If reverting to checking state is unexpected in that case, what behavior would you expect?

The unexpected behaviour is qBit not checking if the files exist before adding the torrent in seeding mode. The rechecking and redownloading part is as expected.

Even though I agree that it would be reasonable to make sure all files exist and have the right size up-front, I don't really see why this is a problem. You use the word "exploited", what do you mean by that exactly? The swarm will not be fed corrupt data, so where's the exploit?

By exploited I meant the state of seeding is not true and using such a state one can exploit seed time tracking or seedbonus systems found in private trackers. I’m not talking about peer to peer data exploitation.
@arvidn

@ghost commented on GitHub (Jan 19, 2020): > When skipping hash checks, whether the files are verified to exist and have the correct size or not, there will always be a scenario where it turned out it wasn't seed. Maybe the files got corrupted or just weren't done downloading. If reverting to checking state is unexpected in that case, what behavior would you expect? > The unexpected behaviour is qBit not checking if the files exist before adding the torrent in seeding mode. The rechecking and redownloading part is as expected. > Even though I agree that it would be reasonable to make sure all files exist and have the right size up-front, I don't really see why this is a problem. You use the word "exploited", what do you mean by that exactly? The swarm will not be fed corrupt data, so where's the exploit? By exploited I meant the state of seeding is not true and using such a state one can exploit seed time tracking or seedbonus systems found in private trackers. I’m not talking about peer to peer data exploitation. @arvidn
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@arvidn commented on GitHub (Jan 19, 2020):

By exploited I meant the state of seeding is not true and using such a state one can exploit seed time tracking or seedbonus systems found in private trackers

I see. You can also just use curl for that, as long as trackers blindly trust peers.

@arvidn commented on GitHub (Jan 19, 2020): > By exploited I meant the state of seeding is not true and using such a state one can exploit seed time tracking or seedbonus systems found in private trackers I see. You can also just use `curl` for that, as long as trackers blindly trust peers.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@FranciscoPombal commented on GitHub (Jan 19, 2020):

@arvidn

I see. You can also just use curl for that, as long as trackers blindly trust peers.

True, and that is a pretty low barrier of entry for cheating already, but being able to just tick a checkbox is just unreasonably low. Even extremely layman users can do it this way. IMO, the solution proposed above is reasonable from a cost/benefit standpoint in principle to prevent the extremely easy route.

@FranciscoPombal commented on GitHub (Jan 19, 2020): @arvidn > I see. You can also just use `curl` for that, as long as trackers blindly trust peers. True, and that is a pretty low barrier of entry for cheating already, but being able to just tick a checkbox is just unreasonably low. Even extremely layman users can do it this way. IMO, the solution proposed above is reasonable from a cost/benefit standpoint in principle to prevent the extremely easy route.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 28, 2020):

By exploited I meant the state of seeding is not true and using such a state one can exploit seed time tracking or seedbonus systems found in private trackers

I see. You can also just use curl for that, as long as trackers blindly trust peers.

Why would I use curl when I can just tick a box and be done with it. Keep seeding for days or even months without actually downloading anything. Which one sounds more convenient to you?

Anyways...I think the maintainer is currently away so this "cheating" issue will probably go down the drain like many other issues out there.

@ghost commented on GitHub (Jan 28, 2020): > > By exploited I meant the state of seeding is not true and using such a state one can exploit seed time tracking or seedbonus systems found in private trackers > > I see. You can also just use `curl` for that, as long as trackers blindly trust peers. Why would I use curl when I can just tick a box and be done with it. Keep seeding for days or even months without actually downloading anything. Which one sounds more convenient to you? Anyways...I think the maintainer is currently away so this "cheating" issue will probably go down the drain like many other issues out there.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@arvidn commented on GitHub (Jan 28, 2020):

Why would I use curl when I can just tick a box and be done with it. Keep seeding for days or even months without actually downloading anything. Which one sounds more convenient to you?

The one that I can script and automate (i.e. curl).

@arvidn commented on GitHub (Jan 28, 2020): > Why would I use curl when I can just tick a box and be done with it. Keep seeding for days or even months without actually downloading anything. Which one sounds more convenient to you? The one that I can script and automate (i.e. `curl`).
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@FranciscoPombal commented on GitHub (Jan 28, 2020):

Why would I use curl when I can just tick a box and be done with it. Keep seeding for days or even months without actually downloading anything. Which one sounds more convenient to you?

The point isn't that using curl is preferable to ticking a box, it's that it's still possible to achieve the same thing relatively easily, using curl. Making it impossible to tick the box in qBIttorrent doesn't fix the underlying exploit.

Still, as I pointed out above, I still think it is a good idea to address this, since there is quite a big difference between "x can be exploited by ticking a box" vs "x can be exploited by scripting some HTTP requests (with curl, for example)". The former makes it doable by a much wider range of users.

@FranciscoPombal commented on GitHub (Jan 28, 2020): > Why would I use curl when I can just tick a box and be done with it. Keep seeding for days or even months without actually downloading anything. Which one sounds more convenient to you? The point isn't that using `curl` is preferable to ticking a box, it's that it's still possible to achieve the same thing relatively easily, using `curl`. Making it impossible to tick the box in qBIttorrent doesn't fix the underlying exploit. Still, as I pointed out above, I still think it is a good idea to address this, since there is quite a big difference between "x can be exploited by ticking a box" vs "x can be exploited by scripting some HTTP requests (with `curl`, for example)". The former makes it doable by a much wider range of users.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 20, 2020):

I accidentally closed the issue. Are we waiting for someone to look into this issue? Or nobody's interested.

@ghost commented on GitHub (Feb 20, 2020): I accidentally closed the issue. Are we waiting for someone to look into this issue? Or nobody's interested.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@arvidn commented on GitHub (Feb 20, 2020):

I think the proposed "fix" for this is to make sure all files exist and have the correct size. Doing this unconditionally would have some cost, and I'm not super excited about taking on the maintenance burden of such logic. I think an approximation of this could be done from qbt by issuing one torrent_handle::read_piece() call for a random piece. It wouldn't even have to care about the result. If that fails, libtorrent would put the torrent into a full-check mode, and check all pieces.

@arvidn commented on GitHub (Feb 20, 2020): I think the proposed "fix" for this is to make sure all files exist and have the correct size. Doing this unconditionally would have some cost, and I'm not super excited about taking on the maintenance burden of such logic. I think an approximation of this could be done from qbt by issuing one `torrent_handle::read_piece()` call for a random piece. It wouldn't even have to care about the result. If that fails, libtorrent would put the torrent into a full-check mode, and check all pieces.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 22, 2020):

@arvidn looks like there's an issue with the method that you mention. When read_piece() is called on missing files it doesn't start the full-check mode. It only performs a full-check if the file is present. The torrent shows an error (The sys cant find the path ...) but as soon as you restart the client or pause/resume, the torrent starts seeding again without any recheck. Looks like qbt will have to handle the error alert.

@ghost commented on GitHub (Feb 22, 2020): @arvidn looks like there's an issue with the method that you mention. When read_piece() is called on missing files it doesn't start the full-check mode. It only performs a full-check if the file is present. The torrent shows an error (The sys cant find the path ...) but as soon as you restart the client or pause/resume, the torrent starts seeding again without any recheck. Looks like qbt will have to handle the error alert.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 23, 2020):

Another interesting thing is..torrents added in seed mode never give missing files error even if you rename or delete the files. Is this a bug or intended?

Edit: Seems like the seed mode flag stays in fastresume file. So on client restart it resumes seeding regardless of missing files or what not.

@ghost commented on GitHub (Feb 23, 2020): Another interesting thing is..torrents added in seed mode never give missing files error even if you rename or delete the files. Is this a bug or intended? Edit: Seems like the seed mode flag stays in fastresume file. So on client restart it resumes seeding regardless of missing files or what not.
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@arvidn commented on GitHub (Feb 23, 2020):

Sounds like a bug (or maybe several)

@arvidn commented on GitHub (Feb 23, 2020): Sounds like a bug (or maybe several)
deekerman commented 2026-02-21 20:17:12 -05:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 23, 2020):

Sounds like a bug (or maybe several)

My suspicion is that the seed mode flag stays in fast resume and it overrides all other errors when torrent is resumed/ client restarted.

@ghost commented on GitHub (Feb 23, 2020): > Sounds like a bug (or maybe several) My suspicion is that the seed mode flag stays in fast resume and it overrides all other errors when torrent is resumed/ client restarted.
deekerman commented 2026-02-21 20:17:13 -05:00
Author
Owner
Copy link

@arvidn commented on GitHub (Feb 28, 2020):

I would encourage anyone with first hand knowledge about this problem to file a ticket against libtorrent describing the issue(s).

@arvidn commented on GitHub (Feb 28, 2020): I would encourage anyone with first hand knowledge about this problem to file a ticket against libtorrent describing the issue(s).
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v5_2_x
v5_1_x
debian
v5_0_x
v4_6_x
v4_5_x
v4_4_x
v4_3_x
v4_2_x
v4_1_x
v4_0_x
v3_3_x
v3_2_x
v3_1_x
v3_0_x
search_encoding_windows
v2_9_x
release-5.1.4
release-5.1.3
release-5.1.2
release-5.1.1
release-5.1.0
release-5.0.5
release-5.0.4
release-5.1.0rc1
release-5.1.0beta1
release-5.0.3
release-5.0.2
release-5.0.1
release-5.0.0
release-4.6.7
release-5.0.0rc1
release-4.6.6
release-4.6.5
release-4.6.4
release-5.0.0beta1
release-4.6.3
release-4.6.2
release-4.6.1
release-4.6.0
release-4.6.0rc2
release-4.5.5
release-4.6.0rc1
release-4.6.0beta1
release-4.5.4
release-4.6.0alpha1
release-4.5.3
release-4.5.2
release-4.5.1
release-4.5.0
release-4.5.0beta1
release-4.4.5
release-4.4.4
release-4.4.3.1
release-4.4.3
release-4.4.2
release-4.4.1
release-4.4.0
release-4.3.9
release-4.4.0rc1
release-4.3.8
release-4.4.0beta3
release-4.3.7
release-4.4.0beta2
release-4.4.0beta1
release-4.3.6
release-4.3.5
release-4.3.4.1
release-4.3.4
release-4.3.3
release-4.3.2
release-4.3.1
release-4.3.0.1
release-4.3.0
release-4.2.5
release-4.2.4
release-4.2.3
release-4.2.2
release-4.2.1
release-4.2.0
release-4.1.9.1
release-4.1.9
release-4.1.8
release-4.1.7
release-4.1.6
release-4.1.5
release-4.1.4
release-4.1.3
release-4.1.2
release-4.1.1
release-4.1.0
release-4.0.4
release-4.0.3
release-4.0.2
release-4.0.1
release-4.0.0
release-3.3.16
release-3.3.15
release-3.3.14
release-3.3.13
release-3.3.12
release-3.3.11
release-3.3.10
release-3.3.9
release-3.3.8
release-3.3.7
release-3.3.6
release-3.3.5
release-3.3.4
release-3.3.3
release-3.3.2
release-3.3.1
release-3.3.0
release-3.2.5
release-3.2.4
release-3.2.3
release-3.2.2
release-3.2.1
release-3.2.0
release-3.1.12
release-3.1.11
release-3.1.10
release-3.1.9.2
release-3.1.9.1
release-3.1.9
release-3.1.8
release-3.1.7
release-3.1.6
release-3.1.5
release-3.1.4
release-3.1.3
release-3.1.2
release-3.1.1
release-3.1.0
release-3.0.11
release-3.0.10
release-3.0.9
release-3.0.8
release-3.0.7
release-3.0.6
release-3.0.5
release-3.0.4
release-3.0.3
release-3.0.2
release-3.0.1
release-3.0.0
release-2.9.11
release-2.9.10
release-2.9.9
release-2.9.8
release-2.9.7
release-2.9.6
release-2.9.5
release-2.9.4
release-2.9.3
release-2.9.0
release-2.8.5
release-2.8.4
release-2.8.3
release-2.8.2
release-2.7.1
release-2.7.0
release-2.6.9
release-2.6.8
release-2.6.7
release-2.6.5
release-2.6.4
release-2.6.3
release-2.6.2
release-2.6.1
release-2.6.0
release-2.5.5
release-2.5.4
release-2.5.3
release-2.5.2
release-2.5.0
release-2.5.0rc1
release-2.4.11
release-2.5.0beta6
release-2.5.0beta5
release-2.5.0beta3
release-2.4.10
release-2.4.8
release-2.5.0beta2
release-2.5.0beta1
release-2.4.6
release-2.4.4
release-2.4.2
release-2.4.0
release-2.4.0rc3
release-2.4.0rc1
release-2.4.0beta3
release-2.4.0beta1
release-2.3.1
release-2.3.0
release-2.3.0rc6
release-2.2.11
release-2.3.0rc5
release-2.2.10
release-2.2.9
release-2.2.8
release-2.2.6
release-2.2.5
release-2.2.3
release-2.2.2
release-2.2.1
release-2.2.0
release-2.1.6
release-2.1.4
release-2.1.2
release-2.1.1
release-2.1.0
release-2.0.7
release-2.0.6
release-2.0.5
release-2.0.3
release-2.0.2
release-2.0.0
release-2.0.0rc6
release-2.0.0rc2
release-1.5.6
release-1.5.4
release-1.5.3
release-1.5.0
release-1.5.0rc5
release-1.5.0rc4
release-1.5.0rc3
release-1.5.0rc1
release-1.5.0beta4
release-1.5.0beta3
release-1.5.0beta2
release-1.5.0beta1
release-1.4.1
release-1.4.0
release-1.4.0rc2
release-1.4.0rc1
release-1.3.5
release-1.4.0beta3
release-1.3.4
release-1.3.3
release-1.3.1
release-1.3.0
release-1.2.1
release-1.2.0rc1
release-1.2.0beta6
release-1.1.4
release-1.2.0beta5
release-1.1.3
release-1.2.0beta3
release-1.1.2
release-1.2.0beta2
release-1.1.1
release-1.2.0beta1
release-1.1.0
release-1.1.0rc2
release-1.1.0rc1
release-1.1.0beta3
release-1.1.0beta2
release-1.0.0
release-1.0.0rc11
release-1.0.0rc10
release-1.0.0rc9
release-1.0.0rc8
release-1.0.0rc7
release-1.0.0rc6
release-1.0.0rc5
release-1.0.0rc4
release-1.0.0rc3
release-0.9.3
release-0.9.2
Labels
Clear labels   
Accessibility

   
AppImage

   
Bounty

   
Build system

   
CI

   
Can't reproduce

   
Code cleanup

   
Confirmed bug

   
Confirmed bug

   
Core

   
Crash

   
Data loss

   
Discussion

   
Docker

   
Documentation

   
Duplicate

   
Feature

   
Feature request

   
Feature request

   
Feature request

   
Filters

   
Flatpak

   
GUI

   
Has workaround

   
I2P

   
Invalid

   
Libtorrent

   
Look and feel

   
Meta

   
NSIS

   
Network

   
Not an issue

   
OS: *BSD

   
OS: Linux

   
OS: Windows

   
OS: macOS

   
PPA

   
Performance

   
Project management

   
Proxy/VPN

   
Qt bugs

   
Qt6 compat

   
RSS

   
Search engine

   
Security

   
Temp folder

   
Themes

   
Translations

   
Triggers

   
Waiting diagnosis

   
Waiting info

   
Waiting upstream

   
Waiting web implementation

   
Watched folders

   
WebAPI

   
WebUI

   
autoCloseOldIssue
No labels
Accessibility
AppImage
Bounty
Build system
CI
Can't reproduce
Code cleanup
Confirmed bug
Confirmed bug
Core
Crash
Data loss
Discussion
Docker
Documentation
Duplicate
Feature
Feature request
Feature request
Feature request
Filters
Flatpak
GUI
Has workaround
I2P
Invalid
Libtorrent
Look and feel
Meta
NSIS
Network
Not an issue
OS: *BSD
OS: Linux
OS: Windows
OS: macOS
PPA
Performance
Project management
Proxy/VPN
Qt bugs
Qt6 compat
RSS
Search engine
Security
Temp folder
Themes
Translations
Triggers
Waiting diagnosis
Waiting info
Waiting upstream
Waiting web implementation
Watched folders
WebAPI
WebUI
autoCloseOldIssue
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/qBittorrent#9616
No description provided.