As per #548, #723, and tsquillario/Jamstash#131, the current method of
estimating `Content-Length` creates various problems.
However, if headers such as `Accept-Ranges` is omitted, clients will only
use the first connection, which is `Transfer-Encoding: chunked`, and no
`Content-Length` is necessary.
Doing this has the side effect that (at least on the web player) seeking
to a specific time is no longer possible, thus this was made an opt-in
option.
Signed-off-by: WillyPillow <wp@nerde.pw>
HTTPS will help prevent eavesdropping on the auth token, and using URI
will ensure unusual characters (like spaces, accidental or otherwise)
are escaped correctly.
Fixes#588
Signed-off-by: Peter Marheine <peter@taricorp.net>
- Update Spring boot Version
- Update dependency check version
- Exclude irrelevant nodejs cve
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
Removes an incorrect override in AlbumUpnpProcessor which was preventing
RecentAlbumUpnpProcessor from behaving correctly.
Also adds a correct getAllItemsSize() implementation for
RecentAlbumUpnpProcessor.
Reasoning:
- It doesn't change state and is not a sensitive endpoint
- It really should be changed to GET but that is a bit more intrusive
change that can be done at another time
- The search csrf token is stored on the top.jsp page for a long time.
If the user keeps this tab open for a while it is possible the csrf
token will change on their session with other requests going on such
that the search csrf token becomes wrong/stale.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
WillyPillow
Carlos Galindo
Peter Marheine
Andrew DeMaria
François-Xavier Thomas
snw35
jo
Bonome
Romain DEP.
Rémi Cocula
Starkad
Allen Petersen
Allan Nordhøy
Robert Sprunk
Shen-Ta Hsieh