Upcoming moOde 9.1.0 release

[Tim Curtis]

Hi,

Here are the WIP release notes for upcoming moOde 9.1.0 release.

Included in this release are a nice Linux kernel upgrade from the Raspberry Pi engineers that includes many fixes and improvements, security against SQL injection attack, convenient entries for IanCanada audio devices, cosmetic and functional updates including a bump to camillagui from @bitlab and some important bug fixes.

Code:

################################################################################
#
# 2024-MM-DD moOde 9.1.0 (Bookworm)
#
################################################################################

Security

- UPD: Filter SQL variables for unwanted characters and commands

Packages

- Bump to Linux kernel 6.6.47
- Bump to camillagui 2.1.0-1moode1

Updates

- UPD: Add Bluetooth CODEC to Source format line in Audio Info
- UPD: Add CSS media query for 1560x720 ultrawide resolution
- UPD: Add AP fallback option to Spotify Config
- UPD: Move USB volknob and Rotary encoder settings to Peripheral Config
- UPD: Improve spacing on alphabet index to avoid scrollbar highlight
- UPD: Update Spotify Connect initial_volume to min 5 (from 0)

Audio devices

- ADD: IanCanada I2S entries
- ADD: HifiBerry DAC8x

Bug fixes

- FIX: Cardnum 0 always used in chip options config
- FIX: Unnecessary query for 'inpactive' in chkBtActive()
- FIX: USB volume knob and Rotary encoder settings missing from backup/restore
- FIX: CamillaDSP quick convolution crashing due to invalid ';' delimiter
- FIX: CamillaDSP crashing due to empty 'mixers' array in config
- FIX: Volume 0 not being set for renderer active reset during startup

[Tim Curtis]

I'll also include the new 4.3.4 version of shairport-sync.
https://github.com/mikebrady/shairport-s.../tag/4.3.4

[Tim Curtis]

Here are the latest WIP release notes.

- Added new version of shairport-sync
- Change radio thumbs from 200px to native size of main covers
- Use 600px as default for new Radio and Plays thumbs
- Fix security check exception for Quobuz password

Code:

################################################################################
#
# 2024-MM-DD moOde 9.1.0 (Bookworm)
#
################################################################################

Security

- UPD: Filter SQL variables for unwanted characters and commands

Packages

- Bump to Linux kernel 6.6.47
- Bump to camillagui 2.1.0
- Bump to shairport-sync 4.3.4

Updates

- UPD: Add Bluetooth CODEC to Source format line in Audio Info
- UPD: Add CSS media query for 1560x720 ultrawide resolution
- UPD: Add AP fallback option to Spotify Config
- UPD: Add webp mime type to Coverart extractor and Thumbnail generator
- UPD: Change Spotify Connect initial_volume to min 5 (from 0)
- UPD: Change Radio station 200px thumbs to native resolution of main image
- UPD: Change to 600px default for Radio and Playlist view thumbs
- UPD: Improve spacing on alphabet index to avoid scrollbar highlight
- UPD: Move USB volknob and Rotary encoder settings to Peripheral Config

Audio devices

- ADD: IanCanada I2S entries
- ADD: HifiBerry DAC8x

Bug fixes

- FIX: Cardnum 0 always used in chip options config
- FIX: Unnecessary query for 'inpactive' in chkBtActive()
- FIX: USB volume knob and Rotary encoder settings missing from backup/restore
- FIX: CamillaDSP quick convolution crashing due to invalid ';' delimiter
- FIX: CamillaDSP crashing due to empty 'mixers' array in config
- FIX: Volume 0 not being set for renderer active reset during startup
- FIX: Secchk not excluding qobuzpass variable

[Tim Curtis]

Here are the latest WIP release notes.

I added an important new Security feature to detect / mitigate any Cross-site script code that may be embedded in music file metatdata. 

Mitigation consists of:
1. Filtering metadata via PHP htmlspecialchars() which converts < > = etc to HTML entities for example &lt; thus preventing execution of strings like <script>
2. Converting various Javascript statements that render .html() to instead render .text()
3. Providing an XSS detect option that scans metadata during the process that generates the library tag cache and logs files / tags that contain either XSS commands or characters.

       

XSS detection logging showing files and tags containing characters that can be used in malicious XSS. In this example using one of my test/debug collections there is no XSS code in the tags but rather harmless text strings containing < > or =

Code:

20240912 075414 worker: loadLibrary(): Start libcache generation
20240912 075414 worker: loadLibrary(): XSS detection on
20240912 075414 SECCHK: XSS character detected: tag|value: Title|Dark Star>
20240912 075414 SECCHK: File: USB/VFAT64/Test/1-2-1970/Grateful Dead - Dark Star].flac
20240912 075414 SECCHK: XSS character detected: tag|value: Title|St. Stephen>
20240912 075414 SECCHK: File: USB/VFAT64/Test/1-2-1970/Grateful Dead - St. Stephen].flac
20240912 075414 SECCHK: XSS character detected: tag|value: Title|The Eleven>
20240912 075414 SECCHK: File: USB/VFAT64/Test/1-2-1970/Grateful Dead - The Eleven].flac
20240912 075414 SECCHK: XSS character detected: tag|value: Title|That's It For The Other One (I. Cryptical Envelopment - II. Drums - III. The Other One - IV. Cryptical Envelopment) >
20240912 075414 SECCHK: File: USB/VFAT64/Test/1-2-1970/Grateful Dead - That's It For The Other One (I. Cryptical Envelopment - II. Drums - III. The Other One - IV. Cryptical Envelopment) ].flac
20240912 075414 SECCHK: XSS character detected: tag|value: Title|China Cat Sunflower >
20240912 075414 SECCHK: File: USB/VFAT64/Test/1-2-1970/Grateful Dead - China Cat Sunflower ].flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|https://www.youtube.com/watch?v=YnK66zxJpR0
20240912 075414 SECCHK: File: USB/VFAT64/Test/eusi/YUNGBLUD - ice cream man (Official Audio) (128kbit_AAC).m4a
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/01 - Hozier - Take Me To Church.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/02 - Hozier - Angel Of Small Death And The Codeine Scene.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/03 - Hozier - Jackie And Wilson.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/04 - Hozier - Someone New.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/05 - Hozier - To Be Alone.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/06 - Hozier - From Eden.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/07 - Hozier - In A Week [Featuring COWLEY Karen].flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/08 - Hozier - Sedated.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/09 - Hozier - Work Song.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/10 - Hozier - Like Real People Do.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/11 - Hozier - It Will Come Back.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/12 - Hozier - Foreigner's God.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Hozier - Hozier/13 - Hozier - Cherry Wine (Live).flac
20240912 075414 SECCHK: XSS character detected: tag|value: AlbumArtist|<various>
20240912 075414 SECCHK: File: USB/VFAT64/Test/jelinj8/01_Beyond The Century.mp3
20240912 075414 SECCHK: XSS character detected: tag|value: Artist|<various
20240912 075414 SECCHK: File: USB/VFAT64/Test/jelinj8/02_Adiemus.mp3
20240912 075414 SECCHK: XSS character detected: tag|value: AlbumArtist|>
20240912 075414 SECCHK: File: USB/VFAT64/Test/jelinj8/02_Adiemus.mp3
20240912 075414 SECCHK: XSS character detected: tag|value: Artist|<>
20240912 075414 SECCHK: File: USB/VFAT64/Test/jelinj8/03_Cantus Inaequalis.mp3
20240912 075414 SECCHK: XSS character detected: tag|value: Album|</3
20240912 075414 SECCHK: File: USB/VFAT64/Test/the_bertrum/Julia-Sophie - 3/Julia-Sophie - -3 - 01 and you know it.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Album|</3
20240912 075414 SECCHK: File: USB/VFAT64/Test/the_bertrum/Julia-Sophie - 3/Julia-Sophie - -3 - 02 cctv.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Album|</3
20240912 075414 SECCHK: File: USB/VFAT64/Test/the_bertrum/Julia-Sophie - 3/Julia-Sophie - -3 - 03 i wish.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Album|</3
20240912 075414 SECCHK: File: USB/VFAT64/Test/the_bertrum/Julia-Sophie - 3/Julia-Sophie - -3 - 04 love let you down.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Title|The Time Warp (Music-1 = Background Track + U Mix)
20240912 075414 SECCHK: File: USB/VFAT64/Test/Tony Diaz/Original Soundtrack (Disc 1)/16 The Time Warp (Music-1 = Background Track + U Mix).m4a
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/01 - The Rolling Stones - Jumpin_ Jack Flash.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/02 - The Rolling Stones - Street Fighting Man.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/03 - The Rolling Stones - Sympathy For The Devil.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/04 - The Rolling Stones - Honky Tonk Women.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/05 - The Rolling Stones - Gimme Shelter.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/06 - The Rolling Stones - Midnight Rambler (Live).flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/07 - The Rolling Stones - You Can_t Always Get What You Want.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/08 - The Rolling Stones - Brown Sugar.flac
20240912 075414 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
20240912 075414 SECCHK: File: USB/VFAT64/Test/Wheel_nut/The Rolling Stones - Hot Rocks, 1964-1971/09 - The Rolling Stones - Wild Horses.flac
20240912 075417 worker: loadLibrary(): End libcache generation

The XSS issue was raised by Git user @n3bojs4. Link below.
https://github.com/moode-player/moode/issues/680

Relnotes

Code:

################################################################################
#
# 2024-MM-DD moOde 9.1.0 (Bookworm)
#
################################################################################

Security

- UPD: Filter SQL variables for unwanted characters and commands
- UPD: Filter music file metadata for unwanted Cross-site scripting (XSS)

Packages

- Bump to Linux kernel 6.6.47
- Bump to camillagui 2.1.0
- Bump to shairport-sync 4.3.4

Updates

- UPD: Add Bluetooth CODEC to Source format line in Audio Info
- UPD: Add CSS media query for 1560x720 ultrawide resolution
- UPD: Add AP fallback option to Spotify Config
- UPD: Add webp mime type to Coverart extractor and Thumbnail generator
- UPD: Change Spotify Connect initial_volume to min 5 (from 0)
- UPD: Change Radio station 200px thumbs to native resolution of main image
- UPD: Change to 600px default for Radio and Playlist view thumbs
- UPD: Improve spacing on alphabet index to avoid scrollbar highlight
- UPD: Improve set_volume REST API to include Multiroom receivers
- UPD: Move USB volknob and Rotary encoder settings to Peripheral Config

Audio devices

- ADD: IanCanada I2S entries
- ADD: HifiBerry DAC8x

Bug fixes

- FIX: Cardnum 0 always used in chip options config
- FIX: Unnecessary query for 'inpactive' in chkBtActive()
- FIX: USB volume knob and Rotary encoder settings missing from backup/restore
- FIX: CamillaDSP quick convolution crashing due to invalid ';' delimiter
- FIX: CamillaDSP crashing due to empty 'mixers' array in config
- FIX: Volume 0 not being set for renderer active reset during startup
- FIX: Secchk not excluding qobuzpass variable

[TheOldPresbyope]

Nice work on tightening security, Tim!

Regards,
Kent

[Tim Curtis]

I'm making a test image today and will post a link to the Test Team. It would prolly be useful to test the XSS feature against more collections. My main collection which was made exclusively from CD rips and a few trustworthy files from others doesn't throw any SECCHK entries in the log.

I've done some searches but can't find any articles specifically discussing XSS code embedded in music file metadata so I'm guessing its prolly not too common.

[TheOldPresbyope]

I've had a few downloaded tracks which contained tons of "useful" metadata such as lyrics which gave me various problems but I'm guessing music files aren't a common attack vector. That could change as soon as the bad guys uncover a related vulnerability in some popular music app, though.

"Trust no string" is, was, and always shall be the motto. I'm amazed at how many software vulnerabilities get reported each year which come down to violation of this principle.

Regards,
Kent

[Tim Curtis]

I've had a few downloaded tracks which contained tons of "useful" metadata such as lyrics which gave me various problems but I'm guessing music files aren't a common attack vector. That could change as soon as the bad guys uncover a related vulnerability in some popular music app, though.

"Trust no string" is, was, and always shall be the motto. I'm amazed at how many software vulnerabilities get reported each year which come down to violation of this principle.

Regards,
Kent

Implementing and testing security mitigation is very complex, expensive and time consuming which is why virtually all software has vulnerabilities. Even the Tech giants with their Trillions $$$ end up with serious vulnerabilities.

I think upcoming 9.1 will at least have some defense against Code and SQL injection and stored XSS but there would need to be some serious attack vector hacking to see what really happens. Maybe someone will become interested.

[Tim Curtis]

Btw there is an r910 test release available.
https://moodeaudio.org/forum/showthread....5#pid57575

[TheOldPresbyope]

I've had 9.1.0 running since last night but haven't had time yet to tinker with it. Darned real life keeps intruding