Login

kurt1970 · 09-13-2024, 04:37 PM

By playing with the sudo apt-get update etc, I've the 9.1.0 on my instance since 3 or 4 days, playing +12h/day. It seems to behave. Smile

**Tim Curtis** · 09-13-2024, 04:42 PM

Try the test image I just posted yesterday. It includes the new XSS detection.

**TheOldPresbyope** · 09-13-2024, 05:58 PM

So with XSS detection enabled, I regenerated the library using my modest collection of ca. 600 albums. Got several dozen hits based on detection of "<", "(", and "=".

Examples:

Code:
20240913 132330 SECCHK: XSS character detected: tag|value: Composer|<Various Composers>

...

20240913 132330 SECCHK: XSS command detected: tag|value: Title|Marguerite (Albumblatt) for violin & piano (transcription of work by Rachmaninov)

...

20240913 132330 SECCHK: XSS character detected: tag|value: Title|Let X=X

...

20240913 132330 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>

...

All in all, detection and reporting seems to be working (though calling out Laurie Anderson for her iconic Let x=x just feels so wrong<grin>).

Still, from a system perspective, the more important part of your recent security changes is the tightening of the webUI code. Too bad it's invisible to the casual user but it is definitely an improvement.

Regards,
Kent

**Tim Curtis** · 09-13-2024, 06:37 PM

(09-13-2024, 05:58 PM)TheOldPresbyope Wrote: So with XSS detection enabled, I regenerated the library using my modest collection of ca. 600 albums. Got several dozen hits based on detection of "<", "(", and "=".

Examples:

Code:
20240913 132330 SECCHK: XSS character detected: tag|value: Composer|<Various Composers> ... 20240913 132330 SECCHK: XSS command detected: tag|value: Title|Marguerite (Albumblatt) for violin & piano (transcription of work by Rachmaninov) ... 20240913 132330 SECCHK: XSS character detected: tag|value: Title|Let X=X ... 20240913 132330 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/> ...

All in all, detection and reporting seems to be working (though calling out Laurie Anderson for her iconic Let x=x just feels so wrong<grin>).

Still, from a system perspective, the more important part of your recent security changes is the tightening of the webUI code. Too bad it's invisible to the casual user but it is definitely an improvement.

Regards,
Kent

Parenthesis are not part of the regex but 'script' is an XSS command. It's in the work 'transcription'. I'll have to refine the XSS command detection so that normal words don't trigger detection.

Sehnsucht · (This post was last modified: 09-13-2024, 10:46 PM by Sehnsucht.)

One thing I do is simply to remove all flac tags except for those I actively set/use. I run this against every file:

Code:
metaflac --show-tag DATE --show-tag TITLE --show-tag GENRE --show-tag ARTIST --show-tag ALBUM --show-tag TRACKNUMBER --show-tag DISCNUMBER "$1" | metaflac --remove-all-tags --import-tags-from=- "$1"

**TheOldPresbyope** · 09-14-2024, 01:55 AM

@Tim Curtis

By the way, are you contemplating bumping to upmpdcli-v1.8.16 with its updated Tidal plugin?

Regards,
Kent

**Tim Curtis** · 09-14-2024, 10:23 AM

I'll look into it.

**Tim Curtis** · 09-14-2024, 12:51 PM

@bitlab just uploaded new upmpdcli packages to the CS repo.

Run the commands below to install then reboot.

Code:
# Bump upmpdcli

sudo apt update && apt list --upgradable

sudo moode-apt-mark unhold

sudo apt -y install libnpupnp13=6.2.0-1moode1

sudo apt -y install libupnpp16=0.26.7-1moode1

sudo apt -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install upmpdcli=1.8.16-1moode1

**TheOldPresbyope** · 09-14-2024, 01:09 PM

(09-14-2024, 12:51 PM)Tim Curtis Wrote: @bitlab just uploaded new upmpdcli packages to the CS repo.

Run the commands below to install then reboot.

Code:
# Bump upmpdcli sudo apt update && apt list --upgradable sudo moode-apt-mark unhold sudo apt -y install libnpupnp13=6.2.0-1moode1 sudo apt -y install libupnpp16=0.26.7-1moode1 sudo apt -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install upmpdcli=1.8.16-1moode1

Nice. I cheated when I tried the Tidal plugin recently and ignored the updated libraries. Hats off to @bitlab for doing the job right.

Regards,
Kent

**Tim Curtis**

(09-14-2024, 01:09 PM)TheOldPresbyope Wrote:
(09-14-2024, 12:51 PM)Tim Curtis Wrote: @bitlab just uploaded new upmpdcli packages to the CS repo.

Run the commands below to install then reboot.

Code:
# Bump upmpdcli sudo apt update && apt list --upgradable sudo moode-apt-mark unhold sudo apt -y install libnpupnp13=6.2.0-1moode1 sudo apt -y install libupnpp16=0.26.7-1moode1 sudo apt -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install upmpdcli=1.8.16-1moode1

Nice. I cheated when I tried the Tidal plugin recently and ignored the updated libraries. Hats off to @bitlab for doing the job right.

Regards,
Kent

Are u able to test the updated Tidal plugin?

IIRC configuring it was kind of involved...

Login
Username:
Password:	Lost Password?
	Remember me