Update version to 3.8.2

Update CHANGELOG.md
Fix potential security vulnerability on smartplaylist search rule and catalog management actions (thanks Roman Ammann!)

docs/CHANGELOG.md

@@ -1,12 +1,46 @@
 CHANGELOG
 =========
 
+3.8.2
+----------
+- Fixed potential security vulnerability on smartplaylist search rule and catalog management actions (thanks Roman Ammann)
+- Fixed song comparison issue on arrays (genre ...) when updating from tag
+- Fixed song insertion issue if track year is out of range
+- Fixed unexpected artist summary autoupdate
+- Improved generated playlist filename (thanks yam655)
+- Fixed user avatar upload (thanks vader083)
+- Fixed waveform temporary file deletion issue if GD library is unavailable
+- Fixed max number of items returned from Subsonic getStarred.view (thanks zerodogg)
+- Fixed video update from tags (thanks stebe)
+- Reverted PHP 5.5.9 dependency to PHP 5.4
+- Added video playlist support (thanks SurvivalHive)
+- Added preference subcategory
+- Added prompt for new playlist name
+- Fixed page refresh when canceling album art change (thanks EvilLivesHere)
+- Added /play htaccess rewrite rule to avoid default max limit redirection 
+- Fixed Subsonic artist/album/song name JSON parsing if the name is numeric only
+- Added ignored articles and cover art to Subsonic getArtists.view function
+- Fixed MySQL requests to support ONLY_FULL_GROUP_BY mode
+- Fixed Ajax art refresh after changing it (thanks gnujeremie)
+- Fixed playlist creation from smartplaylist (thanks stebe)
+- Added SQL unique constraint on tag map
+- Fixed Subsonic genres with JSON format
+- Added Bookmarks feature on Subsonic API
+- Fixed thumb art regeneration if entry found in database without data (thanks s4astliv)
+- Added Podcast feature
+- Added large view / grid view option on artist and albums collection
+- Moved from php-gettext to oscarotero/Gettext
+- Added `Access-Control-Allow-Origin: *` header on Subsonic images & streams
+- Fixed Subsonic item identifier parsing
+- Added logic for external plugin directories (ampache-*)
+- Added Discogs metadata plugin
+
 3.8.1
 ----------
 - Fixed PHP7 Error class conflict (thanks trampi)
 - Fixed user password with special characters at install time (thanks jagerman)
 - Moved Ampache project license from GPLv2 to AGPLv3
-- Add Ampache specific information on Subsonic API getAlbum using a new `ampache` parameter (thanks nicklan)
+- Added Ampache specific information on Subsonic API getAlbum using a new `ampache` parameter (thanks nicklan)
 - Added 'album tag' option in song search (thanks DanielMaly)
 - Added Message of the Day plugin to display MOTD at home page
 - Moved AmpacheApi class to a separate ampacheapi-php git repository

lib/class/search.class.php

@@ -52,7 +52,7 @@ public function __construct($id = null, $searchtype = 'song')
                 $this->$key = $value;
             }
 
-            $this->rules = unserialize($this->rules);
+            $this->rules = json_decode($this->rules, true);
         }
 
         // Define our basetypes
@@ -863,7 +863,7 @@ public function save()
         }
 
         $sql = "INSERT INTO `search` (`name`, `type`, `user`, `rules`, `logic_operator`, `random`, `limit`) VALUES (?, ?, ?, ?, ?, ?, ?)";
-        Dba::write($sql, array($this->name, $this->type, $GLOBALS['user']->id, serialize($this->rules), $this->logic_operator, $this->random ? 1 : 0, $this->limit));
+        Dba::write($sql, array($this->name, $this->type, $GLOBALS['user']->id, json_encode($this->rules), $this->logic_operator, $this->random ? 1 : 0, $this->limit));
         $insert_id = Dba::insert_id();
         $this->id  = $insert_id;
         return $insert_id;
@@ -915,7 +915,7 @@ public function update(array $data = null)
         }
 
         $sql = "UPDATE `search` SET `name` = ?, `type` = ?, `rules` = ?, `logic_operator` = ?, `random` = ?, `limit` = ? WHERE `id` = ?";
-        Dba::write($sql, array($this->name, $this->type, serialize($this->rules), $this->logic_operator, $this->random, $this->limit, $this->id));
+        Dba::write($sql, array($this->name, $this->type, json_encode($this->rules), $this->logic_operator, $this->random, $this->limit, $this->id));
 
         return $this->id;
     }

lib/class/song.class.php

@@ -859,11 +859,6 @@ public static function compare_media_information($media, $new_media, $string_arr
 
         // Foreach them
         foreach ($fields as $key=>$value) {
-            // Skip the item if it is no string nor something we can turn into a string
-            if (!is_string($media->$key) || (is_object($media->$key) && method_exists($media->key, '__toString'))) {
-                continue;
-            }
-
             $key = trim($key);
             if (empty($key) || in_array($key,$skip_array)) {
                 continue;
@@ -878,6 +873,14 @@ public static function compare_media_information($media, $new_media, $string_arr
             } else {
                 $mediaData = $media->$key;
             }
+
+            // Skip the item if it is no string nor something we can turn into a string
+            if (!is_string($mediaData) && !is_numeric($mediaData) && !is_bool($mediaData)) {
+                if (is_object($mediaData) && !method_exists($mediaData, '__toString')) {
+                    continue;
+                }
+            }
+
             if (is_array($new_media->$key)) {
                 $arr = $new_media->$key;
                 sort($arr);

lib/init.php

@@ -67,7 +67,7 @@
 
 $results['load_time_begin'] = $load_time_begin;
 /** This is the version.... fluf nothing more... **/
-$results['version']            = '3.8.2-develop';
+$results['version']            = '3.8.2';
 $results['int_config_version'] = '33';
 
 if (!empty($results['force_ssl'])) {

lib/ui.lib.php

@@ -52,9 +52,9 @@ function show_confirmation($title,$text,$next_url,$cancel=0,$form_name='confirma
 function catalog_worker($action, $catalogs = null, $options = null)
 {
     if (AmpConfig::get('ajax_load')) {
-        $sse_url = AmpConfig::get('web_path') . "/server/sse.server.php?worker=catalog&action=" . $action . "&catalogs=" . urlencode(serialize($catalogs));
+        $sse_url = AmpConfig::get('web_path') . "/server/sse.server.php?worker=catalog&action=" . $action . "&catalogs=" . urlencode(json_encode($catalogs));
         if ($options) {
-            $sse_url .= "&options=" . urlencode(serialize($_POST));
+            $sse_url .= "&options=" . urlencode(json_encode($_POST));
         }
         sse_worker($sse_url);
     } else {

modules/localplay/upnp/upnpdevice.php

@@ -23,7 +23,7 @@ public function __construct($descriptionUrl)
     private function restoreDescriptionUrl($descriptionUrl)
     {
         debug_event('upnpdevice', 'readDescriptionUrl: ' . $descriptionUrl, 5);
-        $this->_settings = unserialize(Session::read('upnp_dev_' . $descriptionUrl));
+        $this->_settings = json_decode(Session::read('upnp_dev_' . $descriptionUrl), true);
 
         if ($this->_settings['descriptionURL'] == $descriptionUrl) {
             debug_event('upnpdevice', 'service Urls restored from session.', 5);
@@ -61,7 +61,7 @@ private function parseDescriptionUrl($descriptionUrl)
         Session::create(array(
             'type' => 'api',
             'sid' => 'upnp_dev_' . $descriptionUrl,
-            'value' => serialize($this->_settings)
+            'value' => json_encode($this->_settings)
         ));
     }
 

modules/localplay/upnp/upnpplayer.class.php

@@ -367,7 +367,7 @@ private function SetIntState($state)
         $this->_intState = $state;
 
         $sid  = 'upnp_ply_' . $this->_description_url;
-        $data = serialize($this->_intState);
+        $data = json_encode($this->_intState);
         if (! Session::exists('api', $sid)) {
             Session::create(array('type' => 'api', 'sid' => $sid, 'value' => $data ));
         } else {
@@ -381,7 +381,7 @@ private function ReadIndState()
         $sid  = 'upnp_ply_' . $this->_description_url;
         $data = Session::read($sid);
 
-        $this->_intState = unserialize($data);
+        $this->_intState = json_decode($data, true);
         debug_event('upnpPlayer', 'ReadIndState:' . $this->_intState, 5);
     }
 } // End UPnPPlayer Class

modules/localplay/upnp/upnpplaylist.php

@@ -118,7 +118,7 @@ public function Skip($pos)
     private function PlayListRead()
     {
         $sid      = 'upnp_pls_' . $this->_deviceGUID;
-        $pls_data = unserialize(Session::read($sid));
+        $pls_data = json_decode(Session::read($sid), true);
 
         $this->_songs   = $pls_data['upnp_playlist'];
         $this->_current = $pls_data['upnp_current'];
@@ -127,7 +127,7 @@ private function PlayListRead()
     private function PlayListSave()
     {
         $sid      = 'upnp_pls_' . $this->_deviceGUID;
-        $pls_data = serialize(array(
+        $pls_data = json_encode(array(
             'upnp_playlist' => $this->_songs,
             'upnp_current' => $this->_current
         ));

server/sse.server.php

@@ -42,12 +42,12 @@
 
 $worker = isset($_REQUEST['worker']) ? $_REQUEST['worker'] : null;
 if (isset($_REQUEST['options'])) {
-    $options = unserialize(urldecode($_REQUEST['options']));
+    $options = json_decode(urldecode($_REQUEST['options']), true);
 } else {
     $options = null;
 }
 if (isset($_REQUEST['catalogs'])) {
-    $catalogs = scrub_in(unserialize(urldecode($_REQUEST['catalogs'])));
+    $catalogs = scrub_in(json_decode(urldecode($_REQUEST['catalogs']), true));
 } else {
     $catalogs = null;
 }