moodeaudio.org > Moode Forum moOde audio player Support v
[SOLVED] 9.1.0 Advanced Search regression for regexp using "|" character

Thank you for your donation!


Cloudsmith graciously provides open-source package management and distribution for our project.


Thread Modes
Solved: 9.1.0 Advanced Search regression for regexp using "|" character
jenzd Offline
Member
*
Posts: 82
Threads: 15
Joined: Mar 2021
Reputation: 11
#1
09-20-2024, 08:50 PM (This post was last modified: 09-24-2024, 10:44 PM by jenzd.)
Hi all,

There seems to be a regression in Moode 9.1.0 when using regular expressions on the Advanced Search page:

Up to Moode 9.0.8 I could use the Folder filter =~ nas/filestation/music/(somefolder|otherfolder) to get a combined view of all files in nas/filestation/music/somefolder and nas/filestation/music/otherfolder.

In Moode 9.1.0 this no longer works. The interface seems to accept the filter, but does not update the library view accordingly. Note that the offending character seems to be the |, because searching for just a single folder using  =~ nas/filestation/music/(somefolder) still works as expected.

Interestingly the similar expression '(filename =~ "nas/filestation/music/(somefolder|otherfolder)")' still works as Tag Filter option for Auto-shuffle.

Thanks & best regards
Jens
Find
Reply
Tim Curtis Online
moOde audio founder
******
Posts: 14,072
Threads: 321
Joined: Mar 2018
Reputation: 572
#2
09-20-2024, 09:11 PM
Did you apply r900patch_multi.sh ?
Enjoy the Music!
moodeaudio.org | Mastodon Feed | GitHub
Website Find
Reply
Tim Curtis Online
moOde audio founder
******
Posts: 14,072
Threads: 321
Joined: Mar 2018
Reputation: 572
#3
09-20-2024, 09:26 PM
Nvm, I can repro.

Do you see any SECCHK lines in the moode log?
Enjoy the Music!
moodeaudio.org | Mastodon Feed | GitHub
Website Find
Reply
jenzd Offline
Member
*
Posts: 82
Threads: 15
Joined: Mar 2021
Reputation: 11
#4
09-20-2024, 09:27 PM
Yes, installed the patch and rebooted. Still no change.
Find
Reply
jenzd Offline
Member
*
Posts: 82
Threads: 15
Joined: Mar 2021
Reputation: 11
#5
09-20-2024, 09:37 PM
And yes there are SECCHK lines:
Code:
20240920 232740 SECCHK: Invalid shell characters detected, request denied
20240920 232740 SECCHK: (file =~ 'nas/filestation/music/(somefolder|otherfolder)')
Find
Reply
jenzd Offline
Member
*
Posts: 82
Threads: 15
Joined: Mar 2021
Reputation: 11
#6
09-20-2024, 09:47 PM
I also noticed now that the Tag Filter for Auto-shuffle only worked, because the setting was restored from a backup. Manually entering the same string does not work but results in an HTTP 400 Bad request.

Here the log says (no surprise):

Code:
20240920 234106 SECCHK: Invalid shell characters detected, request denied
20240920 234106 SECCHK: '(filename =~ "nas/filestation/music/(somefolder|otherfolder)")'
Find
Reply
Tim Curtis Online
moOde audio founder
******
Posts: 14,072
Threads: 321
Joined: Mar 2018
Reputation: 572
#7
09-20-2024, 09:58 PM
As a test, in file /var/www/command/cfg-table.php, lets exclude 'library_flatlist_filter_str from SECCHK

Change
chkVariables($_POST);

To
chkVariables($_POST, array('library_flatlist_filter_str'));

Btw, you don't need to specify the entire folder path. You could do like below.

=~ (/somefolder|/otherfolder)
Enjoy the Music!
moodeaudio.org | Mastodon Feed | GitHub
Website Find
Reply
jenzd Offline
Member
*
Posts: 82
Threads: 15
Joined: Mar 2021
Reputation: 11
#8
09-20-2024, 10:19 PM
Results:
  • Advanced Search works again after applying the patch.
  • Still HTTP 400 Bad request for the Auto-shuffle Tag Filter.
Find
Reply
Tim Curtis Online
moOde audio founder
******
Posts: 14,072
Threads: 321
Joined: Mar 2018
Reputation: 572
#9
09-20-2024, 10:26 PM
Security is quite challenging.

A simple exclusion of the variables won't be sufficient though because that creates a shell injection vulnerability. I'll have to think about it.
Enjoy the Music!
moodeaudio.org | Mastodon Feed | GitHub
Website Find
Reply
jenzd Offline
Member
*
Posts: 82
Threads: 15
Joined: Mar 2021
Reputation: 11
#10
09-24-2024, 10:43 PM
Thanks for fixing in the upcoming version 9.1.2  Smile
Find
Reply


Forum Jump: