+- Moode Forum (https://moodeaudio.org/forum)
+-- Forum: moOde audio player (https://moodeaudio.org/forum/forumdisplay.php?fid=3)
+--- Forum: Support (https://moodeaudio.org/forum/forumdisplay.php?fid=7)
+--- Thread: Upcoming moOde 9.1.0 release (/showthread.php?tid=6887)
RE: Upcoming moOde 9.1.0 release - kurt1970 - 09-13-2024
By playing with the sudo apt-get update etc, I've the 9.1.0 on my instance since 3 or 4 days, playing +12h/day. It seems to behave.
RE: Upcoming moOde 9.1.0 release - Tim Curtis - 09-13-2024
Try the test image I just posted yesterday. It includes the new XSS detection.
RE: Upcoming moOde 9.1.0 release - TheOldPresbyope - 09-13-2024
So with XSS detection enabled, I regenerated the library using my modest collection of ca. 600 albums. Got several dozen hits based on detection of "<", "(", and "=".
Examples:
Code:
20240913 132330 SECCHK: XSS character detected: tag|value: Composer|<Various Composers>
...
20240913 132330 SECCHK: XSS command detected: tag|value: Title|Marguerite (Albumblatt) for violin & piano (transcription of work by Rachmaninov)
...
20240913 132330 SECCHK: XSS character detected: tag|value: Title|Let X=X
...
20240913 132330 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
...All in all, detection and reporting seems to be working (though calling out Laurie Anderson for her iconic Let x=x just feels so wrong<grin>).
Still, from a system perspective, the more important part of your recent security changes is the tightening of the webUI code. Too bad it's invisible to the casual user but it is definitely an improvement.
Regards,
Kent
RE: Upcoming moOde 9.1.0 release - Tim Curtis - 09-13-2024
(09-13-2024, 05:58 PM)TheOldPresbyope Wrote: So with XSS detection enabled, I regenerated the library using my modest collection of ca. 600 albums. Got several dozen hits based on detection of "<", "(", and "=".
Examples:
Code:20240913 132330 SECCHK: XSS character detected: tag|value: Composer|<Various Composers>
...
20240913 132330 SECCHK: XSS command detected: tag|value: Title|Marguerite (Albumblatt) for violin & piano (transcription of work by Rachmaninov)
...
20240913 132330 SECCHK: XSS character detected: tag|value: Title|Let X=X
...
20240913 132330 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
...
All in all, detection and reporting seems to be working (though calling out Laurie Anderson for her iconic Let x=x just feels so wrong<grin>).
Still, from a system perspective, the more important part of your recent security changes is the tightening of the webUI code. Too bad it's invisible to the casual user but it is definitely an improvement.
Regards,
Kent
Parenthesis are not part of the regex but 'script' is an XSS command. It's in the work 'transcription'. I'll have to refine the XSS command detection so that normal words don't trigger detection.
RE: Upcoming moOde 9.1.0 release - Sehnsucht - 09-13-2024
One thing I do is simply to remove all flac tags except for those I actively set/use. I run this against every file:
Code:
metaflac --show-tag DATE --show-tag TITLE --show-tag GENRE --show-tag ARTIST --show-tag ALBUM --show-tag TRACKNUMBER --show-tag DISCNUMBER "$1" | metaflac --remove-all-tags --import-tags-from=- "$1"RE: Upcoming moOde 9.1.0 release - TheOldPresbyope - 09-14-2024
@Tim Curtis
By the way, are you contemplating bumping to upmpdcli-v1.8.16 with its updated Tidal plugin?
Regards,
Kent
RE: Upcoming moOde 9.1.0 release - Tim Curtis - 09-14-2024
I'll look into it.
RE: Upcoming moOde 9.1.0 release - Tim Curtis - 09-14-2024
@bitlab just uploaded new upmpdcli packages to the CS repo.
Run the commands below to install then reboot.
Code:
# Bump upmpdcli
sudo apt update && apt list --upgradable
sudo moode-apt-mark unhold
sudo apt -y install libnpupnp13=6.2.0-1moode1
sudo apt -y install libupnpp16=0.26.7-1moode1
sudo apt -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install upmpdcli=1.8.16-1moode1RE: Upcoming moOde 9.1.0 release - TheOldPresbyope - 09-14-2024
(09-14-2024, 12:51 PM)Tim Curtis Wrote: @bitlab just uploaded new upmpdcli packages to the CS repo.
Run the commands below to install then reboot.
Code:# Bump upmpdcli
sudo apt update && apt list --upgradable
sudo moode-apt-mark unhold
sudo apt -y install libnpupnp13=6.2.0-1moode1
sudo apt -y install libupnpp16=0.26.7-1moode1
sudo apt -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install upmpdcli=1.8.16-1moode1
Nice. I cheated when I tried the Tidal plugin recently and ignored the updated libraries. Hats off to @bitlab for doing the job right.
Regards,
Kent
RE: Upcoming moOde 9.1.0 release - Tim Curtis - 09-14-2024
(09-14-2024, 01:09 PM)TheOldPresbyope Wrote:(09-14-2024, 12:51 PM)Tim Curtis Wrote: @bitlab just uploaded new upmpdcli packages to the CS repo.
Run the commands below to install then reboot.
Code:# Bump upmpdcli
sudo apt update && apt list --upgradable
sudo moode-apt-mark unhold
sudo apt -y install libnpupnp13=6.2.0-1moode1
sudo apt -y install libupnpp16=0.26.7-1moode1
sudo apt -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install upmpdcli=1.8.16-1moode1
Nice. I cheated when I tried the Tidal plugin recently and ignored the updated libraries. Hats off to @bitlab for doing the job right.
Regards,
Kent
Are u able to test the updated Tidal plugin?
IIRC configuring it was kind of involved...