Base image Alpine-JRE8 doesn't install as dependency fontconfig and
some font. Added them to buildsteps.
Signed-off-by: Yahor Berdnikau <egorr.berd@gmail.com>
Reasoning:
- It doesn't change state and is not a sensitive endpoint
- It really should be changed to GET but that is a bit more intrusive
change that can be done at another time
- The search csrf token is stored on the top.jsp page for a long time.
If the user keeps this tab open for a while it is possible the csrf
token will change on their session with other requests going on such
that the search csrf token becomes wrong/stale.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
Issue 455
(570) Adds a settings option to ignore symlinks during the media scan.
(4550 Adds a regular expression pattern to exclude in addition to the option
of excluding symlinks.
This changes the behavior by searching for `ffprobe` in the trancode
directory and falling back to using `PATH` to locate `ffprobe` if it
doesn't exist in the transcode directory.
Signed-off-by: Peter Marheine <peter@taricorp.net>
- Moved bookmark caching logic into service layer
- Removed returning "null" when writing to the response directly
- Finish renaming to subsonic rest controller
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
get autowired and component scanned and don't have to be completely
configured in applicationContext-service.xml
Signed-off-by: Derrek Bond <yoyo007@gmail.com>
- Added enforcer plugin
- Fix some version conflicts
- Moved custom initializer to spring.factories
- Bump spring boot version
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>