09-12-2024, 02:16 PM
(This post was last modified: 09-12-2024, 04:21 PM by Tim Curtis.
Edit Reason: eta relnotes
)
Here are the latest WIP release notes.
I added an important new Security feature to detect / mitigate any Cross-site script code that may be embedded in music file metatdata.
Mitigation consists of:
1. Filtering metadata via PHP htmlspecialchars() which converts < > = etc to HTML entities for example < thus preventing execution of strings like <script>
2. Converting various Javascript statements that render .html() to instead render .text()
3. Providing an XSS detect option that scans metadata during the process that generates the library tag cache and logs files / tags that contain either XSS commands or characters.
XSS detection logging showing files and tags containing characters that can be used in malicious XSS. In this example using one of my test/debug collections there is no XSS code in the tags but rather harmless text strings containing < > or =
The XSS issue was raised by Git user @n3bojs4. Link below.
https://github.com/moode-player/moode/issues/680
Relnotes
I added an important new Security feature to detect / mitigate any Cross-site script code that may be embedded in music file metatdata.
Mitigation consists of:
1. Filtering metadata via PHP htmlspecialchars() which converts < > = etc to HTML entities for example < thus preventing execution of strings like <script>
2. Converting various Javascript statements that render .html() to instead render .text()
3. Providing an XSS detect option that scans metadata during the process that generates the library tag cache and logs files / tags that contain either XSS commands or characters.
XSS detection logging showing files and tags containing characters that can be used in malicious XSS. In this example using one of my test/debug collections there is no XSS code in the tags but rather harmless text strings containing < > or =
Code:
20240912 075414 worker: loadLibrary(): Start libcache generation
20240912 075414 worker: loadLibrary(): XSS detection on
20240912 075414 SECCHK: XSS character detected: tag|value: Title|Dark Star>
20240912 075414 SECCHK: File: USB/VFAT64/Test/1-2-1970/Grateful Dead - Dark Star].flac
20240912 075414 SECCHK: XSS character detected: tag|value: Title|St. Stephen>
20240912 075414 SECCHK: File: USB/VFAT64/Test/1-2-1970/Grateful Dead - St. Stephen].flac
20240912 075414 SECCHK: XSS character detected: tag|value: Title|The Eleven>
20240912 075414 SECCHK: File: USB/VFAT64/Test/1-2-1970/Grateful Dead - The Eleven].flac
20240912 075414 SECCHK: XSS character detected: tag|value: Title|That's It For The Other One (I. Cryptical Envelopment - II. Drums - III. The Other One - IV. Cryptical Envelopment) >
20240912 075414 SECCHK: File: USB/VFAT64/Test/1-2-1970/Grateful Dead - That's It For The Other One (I. Cryptical Envelopment - II. Drums - III. The Other One - IV. Cryptical Envelopment) ].flac
20240912 075414 SECCHK: XSS character detected: tag|value: Title|China Cat Sunflower >
20240912 075414 SECCHK: File: USB/VFAT64/Test/1-2-1970/Grateful Dead - China Cat Sunflower ].flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|https://www.youtube.com/watch?v=YnK66zxJpR0
20240912 075414 SECCHK: File: USB/VFAT64/Test/eusi/YUNGBLUD - ice cream man (Official Audio) (128kbit_AAC).m4a
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/01 - Hozier - Take Me To Church.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/02 - Hozier - Angel Of Small Death And The Codeine Scene.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/03 - Hozier - Jackie And Wilson.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/04 - Hozier - Someone New.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/05 - Hozier - To Be Alone.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/06 - Hozier - From Eden.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/07 - Hozier - In A Week [Featuring COWLEY Karen].flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/08 - Hozier - Sedated.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/09 - Hozier - Work Song.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/10 - Hozier - Like Real People Do.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/11 - Hozier - It Will Come Back.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/12 - Hozier - Foreigner's God.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/13 - Hozier - Cherry Wine (Live).flac
20240912 075414 SECCHK: XSS character detected: tag|value: AlbumArtist|<various>
20240912 075414 SECCHK: File: USB/VFAT64/Test/jelinj8/01_Beyond The Century.mp3
20240912 075414 SECCHK: XSS character detected: tag|value: Artist|<various
20240912 075414 SECCHK: File: USB/VFAT64/Test/jelinj8/02_Adiemus.mp3
20240912 075414 SECCHK: XSS character detected: tag|value: AlbumArtist|>
20240912 075414 SECCHK: File: USB/VFAT64/Test/jelinj8/02_Adiemus.mp3
20240912 075414 SECCHK: XSS character detected: tag|value: Artist|<>
20240912 075414 SECCHK: File: USB/VFAT64/Test/jelinj8/03_Cantus Inaequalis.mp3
20240912 075414 SECCHK: XSS character detected: tag|value: Album|</3
20240912 075414 SECCHK: File: USB/VFAT64/Test/the_bertrum/Julia-Sophie - 3/Julia-Sophie - -3 - 01 and you know it.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Album|</3
20240912 075414 SECCHK: File: USB/VFAT64/Test/the_bertrum/Julia-Sophie - 3/Julia-Sophie - -3 - 02 cctv.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Album|</3
20240912 075414 SECCHK: File: USB/VFAT64/Test/the_bertrum/Julia-Sophie - 3/Julia-Sophie - -3 - 03 i wish.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Album|</3
20240912 075414 SECCHK: File: USB/VFAT64/Test/the_bertrum/Julia-Sophie - 3/Julia-Sophie - -3 - 04 love let you down.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Title|The Time Warp (Music-1 = Background Track + U Mix)
20240912 075414 SECCHK: File: USB/VFAT64/Test/Tony Diaz/Original Soundtrack (Disc 1)/16 The Time Warp (Music-1 = Background Track + U Mix).m4a
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/01 - The Rolling Stones - Jumpin_ Jack Flash.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/02 - The Rolling Stones - Street Fighting Man.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/03 - The Rolling Stones - Sympathy For The Devil.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/04 - The Rolling Stones - Honky Tonk Women.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/05 - The Rolling Stones - Gimme Shelter.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/06 - The Rolling Stones - Midnight Rambler (Live).flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/07 - The Rolling Stones - You Can_t Always Get What You Want.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/08 - The Rolling Stones - Brown Sugar.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/09 - The Rolling Stones - Wild Horses.flac
20240912 075417 worker: loadLibrary(): End libcache generation
The XSS issue was raised by Git user @n3bojs4. Link below.
https://github.com/moode-player/moode/issues/680
Relnotes
Code:
################################################################################
#
# 2024-MM-DD moOde 9.1.0 (Bookworm)
#
################################################################################
Security
- UPD: Filter SQL variables for unwanted characters and commands
- UPD: Filter music file metadata for unwanted Cross-site scripting (XSS)
Packages
- Bump to Linux kernel 6.6.47
- Bump to camillagui 2.1.0
- Bump to shairport-sync 4.3.4
Updates
- UPD: Add Bluetooth CODEC to Source format line in Audio Info
- UPD: Add CSS media query for 1560x720 ultrawide resolution
- UPD: Add AP fallback option to Spotify Config
- UPD: Add webp mime type to Coverart extractor and Thumbnail generator
- UPD: Change Spotify Connect initial_volume to min 5 (from 0)
- UPD: Change Radio station 200px thumbs to native resolution of main image
- UPD: Change to 600px default for Radio and Playlist view thumbs
- UPD: Improve spacing on alphabet index to avoid scrollbar highlight
- UPD: Improve set_volume REST API to include Multiroom receivers
- UPD: Move USB volknob and Rotary encoder settings to Peripheral Config
Audio devices
- ADD: IanCanada I2S entries
- ADD: HifiBerry DAC8x
Bug fixes
- FIX: Cardnum 0 always used in chip options config
- FIX: Unnecessary query for 'inpactive' in chkBtActive()
- FIX: USB volume knob and Rotary encoder settings missing from backup/restore
- FIX: CamillaDSP quick convolution crashing due to invalid ';' delimiter
- FIX: CamillaDSP crashing due to empty 'mixers' array in config
- FIX: Volume 0 not being set for renderer active reset during startup
- FIX: Secchk not excluding qobuzpass variable