Previously, lost passwords were generated via
org.apache.commons.lang.RandomStringUtils,
which is using java.util.Random internally.
This PRNG is has a 48-bit seed, that can easily be bruteforced
if an attacker is able to get the PRNG's output, for example
but resetting their own account multiple times,
leading to trivial privileges escalation attacks.
This commit makes use of java.security.SecureRandom
instead.
I threw airsonic at IntelliJ's IDEA analysis,
and asked it to flag what could be modernized
for Java > 5.
- foreach instead of for…
- I added some null-deref checks
- Integer.ValueOf, since Integer(…) is deprecated
- Contextual try
- Objects.equals instead of handcrafted comparisons
- StringBuilder instead of StringBuffer
- Removal of outdated/wrong javadoc comments
This will only affect the (embedded/legacy) HSQLDB driver. Even though
cff97ea9 should prevent the db log from getting uncontrollably large,
the 'Clean-up database' and 'Scan' actions will additionally force a
checkpoint to ensure this happens on big operations.
As per #548, #723, and tsquillario/Jamstash#131, the current method of
estimating `Content-Length` creates various problems.
However, if headers such as `Accept-Ranges` is omitted, clients will only
use the first connection, which is `Transfer-Encoding: chunked`, and no
`Content-Length` is necessary.
Doing this has the side effect that (at least on the web player) seeking
to a specific time is no longer possible, thus this was made an opt-in
option.
Signed-off-by: WillyPillow <wp@nerde.pw>
HTTPS will help prevent eavesdropping on the auth token, and using URI
will ensure unusual characters (like spaces, accidental or otherwise)
are escaped correctly.
Fixes#588
Signed-off-by: Peter Marheine <peter@taricorp.net>
Removes an incorrect override in AlbumUpnpProcessor which was preventing
RecentAlbumUpnpProcessor from behaving correctly.
Also adds a correct getAllItemsSize() implementation for
RecentAlbumUpnpProcessor.
Reasoning:
- It doesn't change state and is not a sensitive endpoint
- It really should be changed to GET but that is a bit more intrusive
change that can be done at another time
- The search csrf token is stored on the top.jsp page for a long time.
If the user keeps this tab open for a while it is possible the csrf
token will change on their session with other requests going on such
that the search csrf token becomes wrong/stale.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
Issue 455
(570) Adds a settings option to ignore symlinks during the media scan.
(4550 Adds a regular expression pattern to exclude in addition to the option
of excluding symlinks.
This changes the behavior by searching for `ffprobe` in the trancode
directory and falling back to using `PATH` to locate `ffprobe` if it
doesn't exist in the transcode directory.
Signed-off-by: Peter Marheine <peter@taricorp.net>