This adds the 'airsonic.rememberMeKey' system property (can be set from
command-line with `-Dairsonic.rememberMeKey=<value>`) as well as a
'RememberMeKey' setting in airsonic.properties, so that the key used for
generating 'remember me' tokens can be persisted across server restarts.
It also adds a default, insecure key in case we are running in
development mode with the 'airsonic.development' property set.
This page wasn't linked anywhere, and was
allowing an administrator to issue arbitrary sql
comments, and was vulnerable to reflected XSS.
We should get rid of it. If you really want to issue
SQL commands, just ssh to your instance and do it from here.
In case of exceptions, Airsonic logs the full URL that triggered it
since 417583cc, including possibly sensitive query parameters such as
the authentication password/tokens passed to the Subsonic API.
This replaces the value set for this parameter in the URL by the
"<hidden>" string.
Because Double Brace Initialization (DBI) creates an anonymous class with a
reference to the instance of the owning object, its use can lead to memory
leaks if the anonymous inner class is returned and held by other objects. Even
when there's no leak, DBI is so obscure that it's bound to confuse most
maintainers.
Since the `border: 0;` property is applied
to every checkbox, there is no need for a class.
This is also a good opportunity to use ternaries
for the `checked` attribute, instead of clumsy `if`.
I guess that this is a bit silly in 2019,
but since people tend to use weird browsers in weird
places, disabling autocompletion here might prevent
the password from ending up in some local cache.
When Tomcat is not available (for example, when using Jetty), the
ClientAbortException is not available either, causing an error when
starting the server.
This commit fixes that, and instead catches that exception (or its Jetty
equivalent) via reflection.
When streaming, log messages now show the URL and IP of the originating
request, so that it's easier to determine what client is listening to
something on the server.
The `ClientAbortException` exception indicates that the connection was
closed by the client, usually for something the server can do nothing
about (e.g. navigating outside of the page while it's loading).
Since this error happens often, this commit displays shorter error
messages when it does, without a large stack trace.
All other exceptions are handled just as before.
The only place where the string `webfx` is mentioned
was in playQueue.jsp, to include a small css file, twice,
that only applies to webfx components, that aren't used
anywhere in the codebase.
Since Spring's default remember-me technique is
terrible security-wise (`user:timstamp:md5(use:timestamp:password:key)`),
we should at least use a random key, instead of a fixed one,
otherwise, and attacker able to capture the cookies
might be able to trivially bruteforce offline
the password of the associated user.
The inline javascript used with the cancel buttons
was only used to change the location.
Instead of doing this, it's easier to wrap
the button in a tag.
This is related to #909.
I've tested this on mp3, ogg and flac, everything
is working.
Apart from fixing a decent amount of bugs
(https://github.com/mediaelement/mediaelement/releases),
this has the nice side effect of removing a copy
of jquery 1.9.1.
- Fix a stupid self-XSS. I doubt that there are ways to
use it against other users, but well, better safe than sorry
- Replace the javascript-on-focus hacks with the `autofocus` attribute
Previously, lost passwords were generated via
org.apache.commons.lang.RandomStringUtils,
which is using java.util.Random internally.
This PRNG is has a 48-bit seed, that can easily be bruteforced
if an attacker is able to get the PRNG's output, for example
but resetting their own account multiple times,
leading to trivial privileges escalation attacks.
This commit makes use of java.security.SecureRandom
instead.