Security Vulnerability #1522
Comments
|
Preferably not public so we could fix it first. Do you have access to a Tox client? |
|
I haven't used Tox but can certainly give it a go. How shall i find you on there? |
|
@chrismoberly Thank you very much for alerting us. @UniversalMediaServer/developers You can find further information on the forum. |
|
@chrismoberly thanks a lot for this disclosure, we will look at fixing this |
SubJunk
added
the
bug:confirmed
|
Thanks! Your team was super quick to respond to this, very friendly, and great to chat with. Keep up the great work!
|
|
Hi guys, How's the patch going? I'm doing public disclosure on this vuln for a couple other products (not UMS) tomorrow. Do you need some more time on this? Thanks! |
|
I think we have reasonable control of our own code, but we haven't been able to solve the vulnerabilities that stems from Cling yet. This library is used by quite a few UPnP Java implementations of various types, so the best thing would be if it could be solved there. I have been trying to solve the problems found in Cling form a couple of different angles, but they have produced nothing but dead ends this far. When it comes to disclosure @SubJunk should decide what to do, but I still think UMS has a limited exposure in that the attacker would need to get access to the local LAN so I'm not sure that a disclosure before it is completely solved would pose a big problem. |
|
Yep - I think that UMS is not a huge target for this attack, to be honest, as it is generally installed on home networks. I'll wait to see what SJ says. Thanks! |
|
Hi guys, |
|
Yeah, we're not used to work in secret, so it didn't take long until something was posted in public 😉 In any case, as far as I can understand we're relying on a response to 4thline/seamless#9 to be able to close it off completely. It seems like this isn't very much maintained anymore, and I don't know if the author cares to fix it. That said, with my latest modifications, Thanks for alerting us. If you would like to help us push for some changes in Cling/Seamless, I guess you could test some of the tools listed here. I'm pretty sure they'll all fail 😉 |
|
This all disclosures are bullshit. There is not realy emphasized that the attacer must be connected to the private LAN which is under control of the UMS user and this is the most importand information. In the https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13416 it is not mentioned that at all and they mention only remote attacker which is nonsens. |
|
Hi valib. I made sure to make that very clear in the first paragraph of the public disclosure (see http://seclists.org/fulldisclosure/2018/Jul/94). "The XML parsing engine for Universal Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to..." Often, in the security world, there are only two types of attacks: local, meaning on the same machine and remote, meaning not on the same machine. There should be more room for subtleties there, but that is usually how things are classified. |
|
Let me email Mitre and see if they can change the open description to match my public disclosure... |
|
@chrismoberly agree that the UMS is vurnelable for this attack but users should know that if they prevent their private LAN against the not authorized users they will minimal the vurnelability. |
|
@valib Yep, that's reasonable. I've just contacted Mitre asking them to update the description to match what I publicly disclosed on Seclists. Thanks and keep up the good work! |
|
@chrismoberly thanks. |
|
@valib good point and thanks @chrismoberly |
|
@chrismoberly Did you tested BubbleUPnP and Serviio media server as well? |
|
Thanks for the tip. I hadn't, actually. I tested about 10 applications when I was researching UPNP. Plex, Vuze, and UMS were vulnerable so I shared those results and moved on to try some new things. I just quickly tested Bubble. It is vulnerable. Serviio doesn't seem to be, at least not without digging deeper. I took a look at some apps powered by MiniUPNPc, as that library is very widely used. It seems a very old version of it may be vulnerable, but nothing current that I could find. It looks to be maintained fairly well, so might be worth looking at if you guys are researching alternatives. It's used by Bitcore Core and all the crypto forks of it as well. |
|
@chrismoberly Thank you very much for having taken the time to test and answer :) |
|
Last time I looked at Serviio they seemed to have been rewritten in Node.JS so that might be why they don't have that Cling vulnerability |
|
BTW, Mitre has not replied to my email asking for the change in description... Sorry guys, I will bug them again. |
|
@SubJunk Serviio has always been a Java program and still is. |
|
Maybe they were using Node.JS for the startup file scan then, or maybe I'm just remembering another server since I often look at what our competitors are doing 🤷♂️ |
|
This should hopefully be fixed in #1609 |
|
Also I had another look at Serviio and it seems to be an Electron app and uses Node.JS for folder crawling, what makes you think they are using Java, @Sami32 ? Maybe I'm missing something |
|
@SubJunk Are you serious?
What is the file that make you think that this program is Node.JS? I'm very curious... |
|
@SubJunk I downloaded the latest Serviio not that long ago, and the server is a JAR. I don't know what all the other stuff is, and some of that might be Electron or some other web based crap. I didn't really look at that, I only checked the server JAR to see if Cling was packed in it (and it isn't). |
|
Hmm maybe I'm looking in the wrong place, since I'm on a Mac at the moment. I only see Electron stuff and saw a Node.JS process crawling through files. There is likely some other folder I didn't see that contains the |
|
Their Electron GUI is really nice and responsive, I'm jealous! |
|
Oh yeah I found the Java - on macOS Serviio stores their Java files in the |
It's funny how different people can be. I think all these "mobile" UI's on the desktop is a complete disaster, and Electron and Node.JS applications running on the desktop is something I really despise. If people are that lazy, they should do something else than making software IMO. It's big, slow, buggy, uses huge amounts of memory for doing very little, doesn't utilize the advantages of having a mouse where you can actually hit something that is smaller than a barn and usually wastes a lot of screen space. It's simply a terrible idea IMO. |
|
Personally I find Java hard to work with in terms of GUI so it is a relief to work with HTML/CSS when I can, but yes we each have our opinions and areas of expertise. Anyway it's cool that this security bug got fixed and released, I wonder if you could re-test with the fixed PR @chrismoberly ? I would be happy to compile it for you to test if that would help, just let me know your operating system if so |
|
@SubJunk Did I really miss something big now? When/where was is fixed and released? Are you referring to that done in Seamless? If so, I'm afraid you'll be disappointed, as that XML parser is only used for GENA AFAICR, and I suspect that the "fix" actually breaks GENA. |
|
I don't have a good understanding of this issue so maybe there is more to it, I thought it was a Cling problem and saw that the fix was merged thanks to the issue by @Sami32 on their tracker 4thline/cling#243 |
|
I'm not sure if there are other dependencies, this isn't very easy to neither check nor test in detail. There are certainly parts of our code that needs fixing in addition to the problems in Cling, but it's probably the Cling issue that makes us fail the As I tried to point out in the seamless (part of Cling) issue, I don't think the fix will work, and I know that it won't "fix" Cling since that's just one of the XML parsers used by Cling. It seems to me like it was a rush to "get it out of the way" rather than to actually fix it. Although I haven't tested the "new" version of Cling, I can pretty much guarantee you that it hasn't fixed anything, and it has probably broken GENA in addition. |
|
As I suspected, #1609 hasn't fixed anything. I just tested 4f2b115: Connection from [10.xx.xx.xx] port 445 [tcp/*] accepted (family 2, sport 55360)
SMBxxxxxxxxPC NETWORK PROGRAM 1.0LANMAN1.0Windows for Workgroups 3.1aLM1.2X002LANMAN2.1NT LM 0.12SMB 2.002SMB 2.???For those that hasn't done the test before, this means that UMS (and Cling) is still very much vulnerable. Why do you close such an important issue without testing it first? |
|
It was just an automatic close because the PR was merged, I had meant to reopen it until it was manually tested. Thanks for testing and reporting back. |
* Refactored Iso639: - Implemented correction of commonly misspelled language names - Created Iso639Entry for holding all information for a given ISO 639 entry - Created isValid() to check validity also for English language names - Created get() to get the complete Iso639Entry for a language - Unified the lookups/getters to use the same basic lookup, all handling "loc", different case, 2 or 3 letter ISO 639 codes, English language names, common misspellings and search/contains option for English language name. - Renamed getLanguage() to getName() - Refactored internal structure and initialization - Corrected "loc" logic to handle BCP 47 codes even when they include locale or variant. - JavaDocs - Formatting * Reversed bug introduced in 8abd818 * - Iso639: - Updated the list of ISO 639 English language names and codes to the latest definition - Implemented support for multiple English language names - Created equals(), hashCode() and toString() in Iso639Entry - StringUtil: - Expanded createReadableCombinedString() to be able to quote the elements - Fixed a bug in createReadableCombinedString() * Removed "wireshark" in DLNAResource.getDidlString() since the DIDL-Lite is already logged * Minor formatting and tweaks to Playlist, RootFolder, SubtitleType and UMSUtils * Created CollectionUtils class with methods for comparing the contents of two collections * Minor refactoring of FileUtil: - Formatting - Some JavaDocs fixes - Added isSeparator() and getIndexOfLastSeparator() that is OS aware but also accepts forward slash on Windows - Fixed a bug in getExtension() and replaceExtension() if a folder has a dot in its name - Added a try-with-resource * Refactored DLNAMediaSubtitle: - Formatting - JavaDocs - Removed some deprecated methods - Added getName() - Changed the logic for setting language in setExternalFile() - Made externalFile absolute to avoid having to convert it all over the place - Updated references accordingly * - Changed the check for external subtitles to use isExternal() instead of checking getExternalFile != null - Implemented handling for cases where getExternalFile == null for external subtitles - Fixed a couple of bugs in AviSynth encoders - Fixed a bug in Request/RequestV2 where streaming subtitles headers was sent for internal/embedded subtitles - Fixed a couple of bugs in SubtitleUtils * Refactored subtitles handling: - Removed externalSubsExist, externalSubsParsed and hasSubtitles() from DLNAMediaInfo - Moved external subtitles resolution from being scattered around the code to DLNAResource.syncResolve() - DLNAResource: - Implemented new thread-safe external subtitles resolution states hasExternalSubtitles, hasSubtitles and isExternalSubtitlesParsed - Refactored subtitles logic in ResolvePlayer() - Removed duplicated code in getDlnaOrgPnFlags() - Fixed a subtitles bug and improved logging in getDidlString() - Removed some deprecated subtitles related methods - Created new method registerExternalSubtitles() and automatic registration if subtitles states are read - Created new method resolveAudioStream() based on the former Player.setAudioOutputParameters() - Created new method resolveSubtitlesStream() based on the former Player.setSubtitleOutputParameters() - Player: - Refactored setAudioAndSubs() to use the new DLNAResource methods for resolving audio and subtitles - Removed methods setAudioOutputParameters() and setSubtitleOutputParameters() - Removed deprecated and no longer needed subtitles related methods from FileUtil: doesSubtitlesExists(), isSubtitlesExists() and browseFolderForSubtitles() - SubtitleUtils: - Fixed some bugs - Created new inner class CacheFolder - Created new concurrent subtitles folder cache logic that allows multiple folders to be scanned at once - Created new method registerExternalSubtitles() that does a similar task as the former FileUtil.browseFolderForSubtitles() - Created new "helper" methods: isSubtitlesFolder(), isSubtitlesFile(), registerExternalSubtitlesFile(), setExternalSubtitlesParsed() and findPrioritizedSubtitles() * Fixed database caching of subtitles * Add Hindi (Indian) and Brazilian Portuguese flags. * Update subs recognition Fixed bugs to cast integral division result to double or float * Created BufferedImageFilter and BufferedImageFilterChain: - Created abstract "helper" class NonGeometricBufferedImageOp - Implemented BufferedImageFilter in ImagesUtil.transcodeImage() - Created static thumbnail RenderingHints in DLNAResource - Created DLNAResource.addFlagFilters() and removed all "flag" logic from DLNAResource.getThumbnailInputStream() - Created weak caching for "flag" BufferedImages and a way to retrieve them in ImagesUtil.getLanguageFlag() - Implemented AudioFlagFilter and SubtitlesFlagFilter in ImagesUtil - Refactored FullyPlayed to generate a BufferedImageFilter instead of applying the overlay - Implemented filter chains in Request, RequestV2 and RemoteWeb - Improved JavaDocs - Formatting - Fixed an NPE in DLNAResource - Refactored MapFile.toString() * Replaced undetermined "flag" * Update the languages recognition with MediaInfo * Refactored DLNAResource.getDisplayName() to try to make it sane * - Set minimum subtitle "flag" resolution - Adjust subtitle "flag" scaling * Cleaned up TempFileMgr: - Added logging - Handled Exception - Improved iteration performance - Added character set handling * Refactored/extended StringUtil.prettifyXML() * - Fixed NPE in WinUtils.getShortPathNameW() - Fixed NPE and expanded ProcessUtil.getShortFileNameIfWideChars() - Refactored ProcessUtil.dbgWashCmds() * Refactored FullyPlayed text prefix handling * Improved TextAreaFIFO line removal performance * Created WinUtils.getOEMCharset() * Created some methods in FileUtil: - Created new overloads for getExtension() - Created new overloads for getFileNameWithoutExtension() and fixed NPE - Fixed NPE and improved robustness of convertLowerCaseStringToTitleCase() - Created new overloads for replaceExtension() * - Refactored/rewrote ImdbUtil: - Switched to using java.nio instead of java.io - Removed cleanName() - Replaced extractImdb() with extractImdbId() which can also scan relevant .nfo files for IMDB ID - Fixed NPE in ensureTT() - Created removeTT() - Replaced extract() with extractFromFileName() - Created extractImdbIdFromNfo() - Created new methods FileUtil.detectCharset() * Refactored FileTranscodeVirtualFolder: - Implemented working thumbnail support for FileTranscodeVirtualFolder - Fixed subtitles for TRANSCODE folders that's children of LIVE SUBTITLES folders * Reimplemented OpenSubtitles/Live subtitles support: - Configuration: - Removed "live_subtitles_timeout" setting - Made "live_subtitles_keep" and "live_subtitles_limit" configurable from the GUI under transcoding/subtitles - DLNAMediaSubtitle subclasses: - Created class DLNAMediaOnDemandSubtitle which implements support for other "on-demand" subtitles sources in the future - Created class DLNAMediaOpenSubtitle which handles everything related to subtitles from OpenSubtitles - Removed lived subtitles handling from DLNAMediaSubtitle - DLNAResource: - Removed unused class PlaySub - Removed no longer used "superthumb" functionality from RealFile - Refactored SubSelFile to use new logic for discovery, prority, sorting and filtering/limiting - Created new class DeadNodeList for more efficient XML parsing - Rewrote OpenSubtitle class almost completely, only getInfo() which isn't used for subtitles handling ise the old logic * - Created VideoClassification for classifying a video as movie, series, TV program etc - Created FileNamePrettifier that is similar to FileUtil.getFileNamePrettified() but keeps the parsed details for later use and doesn't use OpenSubtitles * Right-aligned numeric fields in TranscodingTab/Subtitle Settings for consistency * - Added new setting "show_subs_info" replacing old setting "hide_subs_info" - Added description for new setting to UMS.conf - Rearranged NavigationShareTab for the net setting: - Added new setting - Switched functionality and texts for "hide engine names" to "show engine names" - Moved settings around to be more logical * - Reduced contention in InfoDb - Fixed generics errors in FileDb and InfoDb * Removed streaming MicroDVD and VobSub support for Kodi * Changed the DLNAMediaSubtitle.id() logic so it's only used for internal/embedded subtitles. External subtitles are recognized using isExternal() instead of id > 100 * Update the Web https setting. Based on the http://www.universalmediaserver.com/forum/viewtopic.php?f=4&t=12156 Not related to this PR but could be merged with this. * Use more efficient StringBuilder instead of "String +" in the convertLowerCaseStringToTitleCase method. Fix NPE in reformating the media name. * SubtitlesInfoLevel to be rebased NPE fix Fixed potential NPE * Implemented minimum similarity threshold for IMDB guesses - Fixed several comparison bugs in SubSelFile - Fixed NPE in OpenSubtitle NPE fix * Extended FileNamePrettifier with more constructors * - Made string similarity case insensitive - Extended guessImdbIdByFileName() with overload for filename instead of DLNAResource * Faster OpenSubtitles hashing (from #1462 and #1469) * Implemented new XML-RPC parser Removed up old XML-RPC implementation * Removed redundant qualifiers * Cache prettified name * Removed the copy of the original resource from the TRANSCODE folder Fixed rebasing Formatting * Added more language flags - ALB is Albanian - ARM is Armenian - BOS is Bosnian - BUR is Burmese - CNR is Montenegrin - DZO is Dzongkha - FIJ is Fijian - FIL is Filipino - GEO is Georgian - GLE is Irish - HRV is Croatian - IND is Indonesian - KAL is Kalaallisut - KAZ is Kazakh - KHM is Khmer - LAO is Lao - LTZ is Letzeburgesch - MAC is Macedonian - MAY is Malay - MLG is Malagasy - MLT is Maltese - NAU is Nauru - NEP is Nepali - PAU is Palauan - SRP is Serbian - TIB is Tibetan - TKL is Tokelau - TLH is Klingon - TON is Tonga - TUK is Turkmen - TVL is Tuvalu - UZB is Usbekisch * Updated plugins commons-lang3 to 3.7, maven-javadoc-plugin to 3.0.0 git-commit-id-plugin to 2.2.4 * - Updated com.rometools:rome to 1.9.0 - Removed maven-nsis-plugin Fixed previous Cherry-Pick * Slightly improved web interface HTTPS configuration based on DMS Fixed typo * Update to match with DMS Fixed typo * Updated the org.apache.commons.text version to latest 1.3 * Update the database version. To the table SUBTRACKS were added columns EXTERNALFILE and CHARSET * Update rebasing to the master branch. * Formatting * Fix unsupported displayNameOverride to show propper item name. * Removed not used import * Fix implementation of the "displayNameOverride" to work only in the MediaLibraryFolder. Thanks @Nadahar for the recommendation. Simplify the commit 9ae1a2f * Better split of metadata extraction and OpenSubs lookup logic Formatting Removed unused function * Fixed GUI Fixed wrong GUI implementation * Fixed transcode folder population * Database updater * fix * Removed Oravle JDK 7 test from Travis CI build It seems that Travis CI is finally decommissioning their Ubuntu Precise containers, which were the last to support Oracle JDK 7. * Fix database append * Fixed database updating * Update database fix * Do not update database with version lower that 11 * Update database initialisation * Final database updating * db updates * Default to empty string in creation too (feels hacky) * Delete some old entries for subtracks * Rescan subtitles to be sure if they changed * Update description * Register external subs only when needed. * Remove unused import * Clean subtitles when disabled in general configuration * Delete record in the database when external subs file do not exist * Let DLNAResource to resolve subs in the syncResolve * Implement the XXE processing disabled for the UMS XML implementation * Remove unused import * Replaced deprecated import * Disable XXE in XMLInputFactory * Make enablig XML External Entity configurable * Avoid not necessary checking if the Logger trace mode is enabled. It is done automatically using Logger.trace() method. * Bump database version * Fix deprecated StringEscapeUtils from org.apache.commons.lang3 * Fix merging * Update twelvemonkeys imageio to the latest version * Add back the isAddGlobally stuff * Post-merge fixes * Keep version ahead of master * Fixed Live Subtitles * Fixed burning picture subtitles when other filters are also used in FFmpeg (#1650) Conflicts: src/main/java/net/pms/encoders/FFMpegVideo.java * Removed dependency on plexus StringUtils (#1625) * Updated junrar to 1.0.1 This fixes CVE-2018-12418 * Fixed merge * Rollback commons-text to support Java 7 * Rollback lang3 to match words * Bump junrar Conflicts: pom.xml src/main/java/net/pms/util/FileUtil.java src/main/java/net/pms/util/OpenSubtitle.java src/main/java/net/pms/util/TempFileMgr.java * Remote control navigation support in webgui (#1637) * After merge, update my files. * Merged changes to pom. Removed spirton.com site references * keycontroller.js: fixed error loading jquery functions, due to line supporting new jquery version. remoteui.css: fixed web frontpage button alignment. fixed different folder list padding when changed to lower resolutions added custom scrollbar to webgui * Change-Id: Ib40cbec3a42c8eeb751f7ac725c1ddf18bffe790 Added scroll with keys in folder list (for remote navigation) Using some material design to list. * Change-Id: I686d10e9cfae6d26e9789448b96202ee5627449d Changed style to rounded edges cards * Change-Id: Ibe93deb0bb85e0859c5bcbb8fe837d008ef43ed4 Important changes in web interface. Added virtual keyboard for remote use. Modified the way search is done. * Change-Id: Ib392207540a48bdb3d6105fbc0092a9cafed02cb fixed Frontpage background in css fixed folder menu didn't display well in small resolutions fixed remote navigation in play screen added extra buttons to player toolbar for remote use Added remote control toggle for fullscreen mode using button and exit using OK key, with variants. Fixed some style in bump affected by bootstrap css. * Update STYLEGUIDE.md * Update CONTRIBUTING.md * Mark FFmpeg as GPU acceleration ready * Update Cling and Seamless to resolve security issue (#1609) Fixes #1522 * Tests for metadata extraction from filename (#1632) * Tests for metadata extraction from filename Adds a new test function that checks the metadata extracted from the filename. Amends one of the testcases so that they correctly reflect the current working of the extraction code. * Remove id from testcase Remove manual increment from the JSON files that define the metadata extraction testcases. * Added TODO tests in metadata extraction While working on the metadata extraction patterns, new tests that specify what needs to be covered and is currently not, are expected to fail. This commit makes it possible to mark these new tests so that they do not cause an assertion error, but only log a warning. * Corrections in filename metadata extraction tests Correct use of assertThat. Correction in one of the test cases, where the expected value was wrong. Correction in an episode number comparison, as episode numbers are strings and not ints. * Codestyle improvement * Codestyle: strictly one statement per line * Codestyle: fewer line breaks * Updated build instructions for macOS * Fixed bug reported in #1655 (#1656) Fix thumbnails not persisting to db unless TRACE is enabled * Bumped version to 7.6.0 and updated changelog * Formatting * Handling the "Album Artist" field present in the audio files. (#1657) * Handling the "Album Artist" field present in the audio files. There is an excellent guide about the purpose of this field and I think UMS should support this feature: https://www.blisshq.com/music-library-management-blog/2010/10/12/how-to-use-album_artist/ * typo Co-Authored-By: maciekberry <44756987+maciekberry@users.noreply.github.com> * not needed Co-Authored-By: maciekberry <44756987+maciekberry@users.noreply.github.com> Conflicts: src/main/java/net/pms/dlna/DLNAMediaDatabase.java src/main/java/net/pms/dlna/LibMediaInfoParser.java * Pick up executables on the path in Linux (#1644) DMS 9de2f2cea6b70c69aaea4de86e25cf809c7f88c8 * - Replaced ProgramPaths interface with PlatformProgramPaths and child classes - Implemented support for executable types (Bundled, Installed, Custom) - Refactored Windows registry lookup to use JNA - Implemented PlayerID for Player identification - Created UniqueList List implementation - Detached the SystemUtils singleton instance from PMS - Implemented system PATH tools in FileUtil - Created ExecutableInfo (immutable, builder pattern) to hold information about executable files - Implemented support for using bundled executable from their development location - Implemented automatic system PATH search for transcoding engines - Created ExecutableErrorType - Moved transcoding engine tests from PlayerFactory to the individual Player classes - Created NTStatus to map typical Windows return codes to more meaningful errors * Rollback unnecessary change to test * Backwards compatibility for engine names * Removed outdated comment Conflicts: src/main/java/net/pms/dlna/DLNAMediaInfo.java src/main/java/net/pms/encoders/FFMpegVideo.java src/main/java/net/pms/encoders/Player.java src/main/java/net/pms/io/WinUtils.java src/main/java/net/pms/newgui/TranscodingTab.java src/main/java/net/pms/util/FileUtil.java src/main/java/net/pms/util/ProcessUtil.java src/main/resources/i18n/messages.properties * Fix merging * WIP Java 10 crash fix (#1497) * WIP Java 10 crash fix * Messy WIP * Update to use Java 10 features * Make it compatible with Java 1.7 * Attempt to maintain support for unicode fonts * Formatting * Formatting * Fix to some web interface navigation issues (#1660) * After merge, update my files. * Merged changes to pom. Removed spirton.com site references * keycontroller.js: fixed error loading jquery functions, due to line supporting new jquery version. remoteui.css: fixed web frontpage button alignment. fixed different folder list padding when changed to lower resolutions added custom scrollbar to webgui * Change-Id: Ib40cbec3a42c8eeb751f7ac725c1ddf18bffe790 Added scroll with keys in folder list (for remote navigation) Using some material design to list. * Change-Id: I686d10e9cfae6d26e9789448b96202ee5627449d Changed style to rounded edges cards * Change-Id: Ibe93deb0bb85e0859c5bcbb8fe837d008ef43ed4 Important changes in web interface. Added virtual keyboard for remote use. Modified the way search is done. * Change-Id: Ib392207540a48bdb3d6105fbc0092a9cafed02cb fixed Frontpage background in css fixed folder menu didn't display well in small resolutions fixed remote navigation in play screen added extra buttons to player toolbar for remote use Added remote control toggle for fullscreen mode using button and exit using OK key, with variants. Fixed some style in bump affected by bootstrap css. * Change-Id: I92ff018c9318b74457ebfc67a2c9f5271787ca54 fixed media cards top padding not displaying well when window width is lower than 1080px. fixed folder list background color not the same when window width is lower than 1080px. added keyboard navigation to virtual keyboard close button and corrected display css, display image removed, used webfont instead. other minor adjustments and updated to master branch changes. Change-Id: I92ff018c9318b74457ebfc67a2c9f5271787ca54 * Change-Id: Ibff3251c57fa5e8a6378287584a47f2e953b3b5e Formatting and removing things that weren't implemented. * Change-Id: I4a8eaac529b0e2a64081bc303d9eb8f7df8182b4 Fixed flickering effect while hover in add to playlist button due to overlap. * Rephrasing to fit text better * Enable Samsung built-in resume functionality (#1662) * feat: add support for samsung built-in resume Closes #665 * feat(bookmark): restrict 'set bookmark' to samsung devices Closes #665 * feat(bookmark): code cleanup #665 * feat(bookmark): code cleanup #665 Conflicts: src/main/java/net/pms/dlna/DLNAResource.java * - Moved Player executable getters from PmsConfiguration to the Player instances (#1669) - Implemented reuse of Player instances - Implemented support for multiple executables when registering/testing Player objects From DMS af05744a843866cf94903a22d032f08f66d80bbc Fixes #1668 Conflicts: src/main/java/net/pms/dlna/DLNAResource.java * TODO to fix merging * Revert "TODO to fix merging" This reverts commit 5e7bcc7. * refactor(requestv2): extract "createResponse" method (#1667) * refactor(requestv2): extract `creteResponse` method #1664 * refactor(requestv2): chain CRLF #1664 * refactor(requestv2): remove duplicated CRLF #1664 * Updated changelog * Minor formatting and scan speed improvement (#1672) * Sync translations with Crowdin * Updated changelog * 7.6.1 * Remove snapshot text * Enabled automatic updating to 7.6.1 on Windows * refactor(requestv2): extract request handler methods (#1689) * refactor(requestv2): extract `creteResponse` method #1664 * refactor(requestv2): chain CRLF #1664 * refactor(requestv2): remove duplicated CRLF #1664 * refactor(requestv2): extract `searchHandler` #1664 * refactor(requestv2): code cleanup #1664 * refactor(requestv2): restore code indentation #1664 * refactor(requestv2): restore code indentation #1664 * refactor(requestv2): extract request handlers #1664 * refactor(requestv2): extract request handlers #1664 * restore "compilerArgument" in pom.xml #1664 Conflicts: src/main/java/net/pms/network/RequestV2.java * Support for Samsung Q9 series (#1697) * refactor(requestv2): inputStream as local variable (#1691) * refactor(requestv2): extract `creteResponse` method #1664 * refactor(requestv2): chain CRLF #1664 * refactor(requestv2): remove duplicated CRLF #1664 * refactor(requestv2): extract `searchHandler` #1664 * refactor(requestv2): code cleanup #1664 * refactor(requestv2): restore code indentation #1664 * refactor(requestv2): restore code indentation #1664 * refactor(requestv2): extract request handlers #1664 * refactor(requestv2): extract request handlers #1664 * restore "compilerArgument" in pom.xml #1664 * refactor(requestv2): inputStream as local variable #1664 * refactor(requestv2): rename pms to ums #1664 * Clean status line when scan finished (#1698) * Added config for Samsung Q6 Series TVs (#1699) * Philips PUS8503 (#1692) * WIP * Fixed transcoding * Update * Detection tests * Fix XVID recognition * refactor(requestv2): extract dlna stream handler (#1700) * refactor(requestv2): extract `creteResponse` method #1664 * refactor(requestv2): chain CRLF #1664 * refactor(requestv2): remove duplicated CRLF #1664 * refactor(requestv2): extract `searchHandler` #1664 * refactor(requestv2): code cleanup #1664 * refactor(requestv2): restore code indentation #1664 * refactor(requestv2): restore code indentation #1664 * refactor(requestv2): extract request handlers #1664 * refactor(requestv2): extract request handlers #1664 * restore "compilerArgument" in pom.xml #1664 * refactor(requestv2): inputStream as local variable #1664 * refactor(requestv2): rename pms to ums #1664 * refactor(requestv2): extract dlnaFileHandler #1664 * refactor(requestv2): extract dlnaFileHandler removed unused methods, placed variable declarations in the scope where they belongs #1664 * refactor(requestv2): code cleanup #1664 * refactor(requestv2): fix image response added missing `content-length` header for images and thumbnails #1664 Conflicts: src/main/java/net/pms/network/RequestV2.java * Fix XVID recognition (#1705) * Fix XVID recognition * Do not stream subtitles for when they are transcoding * Rename getFormat to setFormat in LibMediaInfoParser and make some preliminary test * Formatting * Formatting * Fix subtitles streaming logic * Update Samsung subtitles logic * Simplify the logic * Removed depreated method Conflicts: src/main/java/net/pms/dlna/LibMediaInfoParser.java src/main/java/net/pms/network/RequestV2.java * Update the .conf (#1707) * #1664 image fix (#1709) * fix(image): fix image load #1664 * fix(image): improve log message #1664 * refactor(RequestV2): small code improvements (#1713) * refactor(requestv2): extract `creteResponse` method #1664 * refactor(requestv2): chain CRLF #1664 * refactor(requestv2): remove duplicated CRLF #1664 * refactor(requestv2): extract `searchHandler` #1664 * refactor(requestv2): code cleanup #1664 * refactor(requestv2): restore code indentation #1664 * refactor(requestv2): restore code indentation #1664 * refactor(requestv2): extract request handlers #1664 * refactor(requestv2): extract request handlers #1664 * restore "compilerArgument" in pom.xml #1664 * refactor(requestv2): inputStream as local variable #1664 * refactor(requestv2): rename pms to ums #1664 * refactor(requestv2): extract dlnaFileHandler #1664 * refactor(requestv2): extract dlnaFileHandler removed unused methods, placed variable declarations in the scope where they belongs #1664 * refactor(requestv2): code cleanup #1664 * refactor(requestv2): fix image response added missing `content-length` header for images and thumbnails #1664 * refactor(requestv2): rename `argument` to `uri` #1664 * refactor(requestv2): use HttpMethod instead of string #1664 * refactor(requestv2): use local nettyRequest #1664 Conflicts: src/main/java/net/pms/network/RequestHandlerV2.java * Solving issue #1674 (#1711) Solving issue #1674 (correct language passed to MediaInfoLib and avoiding incorrect genre labels) * Fixed issue #1706, Web interface broken hover effect on Firefox. (#1717) * After merge, update my files. * Merged changes to pom. Removed spirton.com site references * keycontroller.js: fixed error loading jquery functions, due to line supporting new jquery version. remoteui.css: fixed web frontpage button alignment. fixed different folder list padding when changed to lower resolutions added custom scrollbar to webgui * Change-Id: Ib40cbec3a42c8eeb751f7ac725c1ddf18bffe790 Added scroll with keys in folder list (for remote navigation) Using some material design to list. * Change-Id: I686d10e9cfae6d26e9789448b96202ee5627449d Changed style to rounded edges cards * Change-Id: Ibe93deb0bb85e0859c5bcbb8fe837d008ef43ed4 Important changes in web interface. Added virtual keyboard for remote use. Modified the way search is done. * Change-Id: Ib392207540a48bdb3d6105fbc0092a9cafed02cb fixed Frontpage background in css fixed folder menu didn't display well in small resolutions fixed remote navigation in play screen added extra buttons to player toolbar for remote use Added remote control toggle for fullscreen mode using button and exit using OK key, with variants. Fixed some style in bump affected by bootstrap css. * Change-Id: I92ff018c9318b74457ebfc67a2c9f5271787ca54 fixed media cards top padding not displaying well when window width is lower than 1080px. fixed folder list background color not the same when window width is lower than 1080px. added keyboard navigation to virtual keyboard close button and corrected display css, display image removed, used webfont instead. other minor adjustments and updated to master branch changes. Change-Id: I92ff018c9318b74457ebfc67a2c9f5271787ca54 * Change-Id: Ibff3251c57fa5e8a6378287584a47f2e953b3b5e Formatting and removing things that weren't implemented. * Change-Id: I4a8eaac529b0e2a64081bc303d9eb8f7df8182b4 Fixed flickering effect while hover in add to playlist button due to overlap. * -Fixed header area not displaying focus element, due to css class removal. (remoteui.css) -Fixed error while navigating in header if there were no media displayed in root directory. Gear menu not navigating properly. (keycontroller.js) -Fixed keyboard not having focus when changes from letter to numbers. (jQKeyboard.js) -Removed unused code in keyboard main file. (jQKeyboard.js) * Fixed issue #1706, Web interface broken hover effect on Firefox. Removed effect off transform translate in css, for media browsing, trying to find workaround, meanwhile, removed. * Use H.264 in Chrome web interface (#1702) * Use H.264 in Chrome web interface * Removed old option * Same on Firefox * Formatting and only scale resolution when using libvorbis * Removed unused config * Fix merging * Update merging * Formatting * Merge fixes * More merge fixes + formatting * !fixup
|
I rest my case 😆 |
|
This was closed automatically in error |
Hi team USM!
I've found a critical security vulnerability affecting the current release of USM. This may allow an attacker on the same local network to compromise a machine running the software.
How would you like me to disclose that information to you - in the open here on Github, via a PGP encrypted email, etc?
Thanks!
The text was updated successfully, but these errors were encountered: