[pull] master from MusicPlayerDaemon:master#74
Merged
Conversation
This elides an unnecessary copy.
In XML-based playlist formats such as ASX and XSPF, the `location` tag can have arbitrary string data, including (encoded) newline characters. That allows injecting such URIs into MPD, which allows an attacker to desync the MPD protocol. Closes #2483
Obviously, we shouldn't ever transmit null bytes because bad things happen when you do.
The MPD text protocol is by definition UTF-8 only, and thus all strings that are used anywhere must be valid UTF-8.
…ateUTF8() .. so these plugins will benefit from future improvements to VerifyRelativePathUTF8().
This removes the check for '\r', but we don't have it everywhere else. Having a playlist name with '\r' for sure isn't a good idea, but at least it's not dangerous for the MPD protocol, I guess. If we believe it's dangerous, the check should be added to VerifyStringUTF8() to cover all places where that's important.
This fixes an ugly path traversal bug that allowed clients to do "listfiles ..". Closes #2484
The buffer size must be rounded up. Just like the other vulnerabilities I fixed today, this one was found and reported by Matteo Strada and Daniele Berardinelli. Closes #2485
Even Debian "oldstable" Bookworm has 7.88.0, so requiring at least 7.85.0 is reasonable. The actual reason to raise the minimum version is because that version limits the CURLOPT_FOLLOWLOCATION protocols to HTTP and FTP, disallowing redirects to Gopher and other strange protocols MPD doesn't want to use. This means redirects can no longer circumvent the protocol whitelist (function protocol_is_whitelisted()). Closes #2487
This was never necessary, but became buggy after commit 4e2a551 which added the curl_version_info() check to obtain the list of protocols supported by CURL. The plugin now claimed to support protocols that were not actually accepted by input_curl_open().
release v0.24.11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )