Permalink
Browse files

Update version to 3.8.2

Update CHANGELOG.md
Fix potential security vulnerability on smartplaylist search rule and catalog management actions (thanks Roman Ammann!)
  • Loading branch information...
1 parent f976024 commit 5b975f3e222592b80325ddd837e6445e39bd6674 @Afterster Afterster committed Feb 3, 2016
View
@@ -1,12 +1,46 @@
CHANGELOG
=========
+3.8.2
+----------
+- Fixed potential security vulnerability on smartplaylist search rule and catalog management actions (thanks Roman Ammann)
+- Fixed song comparison issue on arrays (genre ...) when updating from tag
+- Fixed song insertion issue if track year is out of range
+- Fixed unexpected artist summary autoupdate
+- Improved generated playlist filename (thanks yam655)
+- Fixed user avatar upload (thanks vader083)
+- Fixed waveform temporary file deletion issue if GD library is unavailable
+- Fixed max number of items returned from Subsonic getStarred.view (thanks zerodogg)
+- Fixed video update from tags (thanks stebe)
+- Reverted PHP 5.5.9 dependency to PHP 5.4
+- Added video playlist support (thanks SurvivalHive)
+- Added preference subcategory
+- Added prompt for new playlist name
+- Fixed page refresh when canceling album art change (thanks EvilLivesHere)
+- Added /play htaccess rewrite rule to avoid default max limit redirection
+- Fixed Subsonic artist/album/song name JSON parsing if the name is numeric only
+- Added ignored articles and cover art to Subsonic getArtists.view function
+- Fixed MySQL requests to support ONLY_FULL_GROUP_BY mode
+- Fixed Ajax art refresh after changing it (thanks gnujeremie)
+- Fixed playlist creation from smartplaylist (thanks stebe)
+- Added SQL unique constraint on tag map
+- Fixed Subsonic genres with JSON format
+- Added Bookmarks feature on Subsonic API
+- Fixed thumb art regeneration if entry found in database without data (thanks s4astliv)
+- Added Podcast feature
+- Added large view / grid view option on artist and albums collection
+- Moved from php-gettext to oscarotero/Gettext
+- Added `Access-Control-Allow-Origin: *` header on Subsonic images & streams
+- Fixed Subsonic item identifier parsing
+- Added logic for external plugin directories (ampache-*)
+- Added Discogs metadata plugin
+
3.8.1
----------
- Fixed PHP7 Error class conflict (thanks trampi)
- Fixed user password with special characters at install time (thanks jagerman)
- Moved Ampache project license from GPLv2 to AGPLv3
-- Add Ampache specific information on Subsonic API getAlbum using a new `ampache` parameter (thanks nicklan)
+- Added Ampache specific information on Subsonic API getAlbum using a new `ampache` parameter (thanks nicklan)
- Added 'album tag' option in song search (thanks DanielMaly)
- Added Message of the Day plugin to display MOTD at home page
- Moved AmpacheApi class to a separate ampacheapi-php git repository
@@ -52,7 +52,7 @@ public function __construct($id = null, $searchtype = 'song')
$this->$key = $value;
}
- $this->rules = unserialize($this->rules);
+ $this->rules = json_decode($this->rules, true);
}
// Define our basetypes
@@ -863,7 +863,7 @@ public function save()
}
$sql = "INSERT INTO `search` (`name`, `type`, `user`, `rules`, `logic_operator`, `random`, `limit`) VALUES (?, ?, ?, ?, ?, ?, ?)";
- Dba::write($sql, array($this->name, $this->type, $GLOBALS['user']->id, serialize($this->rules), $this->logic_operator, $this->random ? 1 : 0, $this->limit));
+ Dba::write($sql, array($this->name, $this->type, $GLOBALS['user']->id, json_encode($this->rules), $this->logic_operator, $this->random ? 1 : 0, $this->limit));
$insert_id = Dba::insert_id();
$this->id = $insert_id;
return $insert_id;
@@ -915,7 +915,7 @@ public function update(array $data = null)
}
$sql = "UPDATE `search` SET `name` = ?, `type` = ?, `rules` = ?, `logic_operator` = ?, `random` = ?, `limit` = ? WHERE `id` = ?";
- Dba::write($sql, array($this->name, $this->type, serialize($this->rules), $this->logic_operator, $this->random, $this->limit, $this->id));
+ Dba::write($sql, array($this->name, $this->type, json_encode($this->rules), $this->logic_operator, $this->random, $this->limit, $this->id));
return $this->id;
}
@@ -859,11 +859,6 @@ public static function compare_media_information($media, $new_media, $string_arr
// Foreach them
foreach ($fields as $key=>$value) {
- // Skip the item if it is no string nor something we can turn into a string
- if (!is_string($media->$key) || (is_object($media->$key) && method_exists($media->key, '__toString'))) {
- continue;
- }
-
$key = trim($key);
if (empty($key) || in_array($key,$skip_array)) {
continue;
@@ -878,6 +873,14 @@ public static function compare_media_information($media, $new_media, $string_arr
} else {
$mediaData = $media->$key;
}
+
+ // Skip the item if it is no string nor something we can turn into a string
+ if (!is_string($mediaData) && !is_numeric($mediaData) && !is_bool($mediaData)) {
+ if (is_object($mediaData) && !method_exists($mediaData, '__toString')) {
+ continue;
+ }
+ }
+
if (is_array($new_media->$key)) {
$arr = $new_media->$key;
sort($arr);
View
@@ -67,7 +67,7 @@
$results['load_time_begin'] = $load_time_begin;
/** This is the version.... fluf nothing more... **/
-$results['version'] = '3.8.2-develop';
+$results['version'] = '3.8.2';
$results['int_config_version'] = '33';
if (!empty($results['force_ssl'])) {
View
@@ -52,9 +52,9 @@ function show_confirmation($title,$text,$next_url,$cancel=0,$form_name='confirma
function catalog_worker($action, $catalogs = null, $options = null)
{
if (AmpConfig::get('ajax_load')) {
- $sse_url = AmpConfig::get('web_path') . "/server/sse.server.php?worker=catalog&action=" . $action . "&catalogs=" . urlencode(serialize($catalogs));
+ $sse_url = AmpConfig::get('web_path') . "/server/sse.server.php?worker=catalog&action=" . $action . "&catalogs=" . urlencode(json_encode($catalogs));
if ($options) {
- $sse_url .= "&options=" . urlencode(serialize($_POST));
+ $sse_url .= "&options=" . urlencode(json_encode($_POST));
}
sse_worker($sse_url);
} else {
@@ -23,7 +23,7 @@ public function __construct($descriptionUrl)
private function restoreDescriptionUrl($descriptionUrl)
{
debug_event('upnpdevice', 'readDescriptionUrl: ' . $descriptionUrl, 5);
- $this->_settings = unserialize(Session::read('upnp_dev_' . $descriptionUrl));
+ $this->_settings = json_decode(Session::read('upnp_dev_' . $descriptionUrl), true);
if ($this->_settings['descriptionURL'] == $descriptionUrl) {
debug_event('upnpdevice', 'service Urls restored from session.', 5);
@@ -61,7 +61,7 @@ private function parseDescriptionUrl($descriptionUrl)
Session::create(array(
'type' => 'api',
'sid' => 'upnp_dev_' . $descriptionUrl,
- 'value' => serialize($this->_settings)
+ 'value' => json_encode($this->_settings)
));
}
@@ -367,7 +367,7 @@ private function SetIntState($state)
$this->_intState = $state;
$sid = 'upnp_ply_' . $this->_description_url;
- $data = serialize($this->_intState);
+ $data = json_encode($this->_intState);
if (! Session::exists('api', $sid)) {
Session::create(array('type' => 'api', 'sid' => $sid, 'value' => $data ));
} else {
@@ -381,7 +381,7 @@ private function ReadIndState()
$sid = 'upnp_ply_' . $this->_description_url;
$data = Session::read($sid);
- $this->_intState = unserialize($data);
+ $this->_intState = json_decode($data, true);
debug_event('upnpPlayer', 'ReadIndState:' . $this->_intState, 5);
}
} // End UPnPPlayer Class
@@ -118,7 +118,7 @@ public function Skip($pos)
private function PlayListRead()
{
$sid = 'upnp_pls_' . $this->_deviceGUID;
- $pls_data = unserialize(Session::read($sid));
+ $pls_data = json_decode(Session::read($sid), true);
$this->_songs = $pls_data['upnp_playlist'];
$this->_current = $pls_data['upnp_current'];
@@ -127,7 +127,7 @@ private function PlayListRead()
private function PlayListSave()
{
$sid = 'upnp_pls_' . $this->_deviceGUID;
- $pls_data = serialize(array(
+ $pls_data = json_encode(array(
'upnp_playlist' => $this->_songs,
'upnp_current' => $this->_current
));
@@ -42,12 +42,12 @@
$worker = isset($_REQUEST['worker']) ? $_REQUEST['worker'] : null;
if (isset($_REQUEST['options'])) {
- $options = unserialize(urldecode($_REQUEST['options']));
+ $options = json_decode(urldecode($_REQUEST['options']), true);
} else {
$options = null;
}
if (isset($_REQUEST['catalogs'])) {
- $catalogs = scrub_in(unserialize(urldecode($_REQUEST['catalogs'])));
+ $catalogs = scrub_in(json_decode(urldecode($_REQUEST['catalogs']), true));
} else {
$catalogs = null;
}

0 comments on commit 5b975f3

Please sign in to comment.