Impact
What kind of vulnerability is it? Who is impacted?
Any user running source commits 3fa8bbf, 1bda8d1, 12a9590, 428b361, 34fb194, b521636, ef3583e, f5efa6a, 1eb1e54, and cbcea0a are vulnerable.
Patches
Has the problem been patched? What versions should users upgrade to?
There are no published patches as of yet. As of commit cdcd48b the issue has been fixed. Users on patches between 3fa8bbf and cbcea0a are advised to update as soon as possible.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users can manually modify the source code to ensure that the image_file variable is evaluated with ast.literal_eval to convert to a string, then passed through werkzeug.utils.secure_filename to ensure the filename is correct. The manually modified source should look like this;
[module/connect_to_server.py]
[...]
from html import unescape
import werkzeug.utils
import requests
image_file = str(image_file).replace("DOT", ".") # <-- modified line
api = f"http://{domain}:7873/bGVhdmVfcmlnaHRfbm93"
[...]This modification also requires itunesrpc.py to be modified to pass through file names, not file paths.
[itunesrpc.py]
[...]
# MODIFY TRACK TO HAVE PAUSED IF PAUSED ON APPLE MUSIC
if paused_track:
track = "[PAUSED] " + track
file_path = os.getcwd() + "\\temporary.png" # <- pay attention to this line
o.CurrentTrack.Artwork.Item(1).SaveArtworkToFile(file_path)
artwork_url = networking.get("temporaryDOTpng", domain, track, artist, album) # <- pay attention to this line
artwork_url = ast.literal_eval(str(artwork_url))
[...]Although this modification is "quick and dirty" it gets the job done. It is the definition of "spaghetti code" and will be fixed to be properly written before the release of debug.4.0.0
References
CWE-78
For more information
If you have any questions or comments about this advisory:
Impact
What kind of vulnerability is it? Who is impacted?
Any user running source commits 3fa8bbf, 1bda8d1, 12a9590, 428b361, 34fb194, b521636, ef3583e, f5efa6a, 1eb1e54, and cbcea0a are vulnerable.
Patches
Has the problem been patched? What versions should users upgrade to?
There are no published patches as of yet.As of commit cdcd48b the issue has been fixed. Users on patches between 3fa8bbf and cbcea0a are advised to update as soon as possible.Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users can manually modify the source code to ensure that the image_file variable is evaluated with ast.literal_eval to convert to a string, then passed through werkzeug.utils.secure_filename to ensure the filename is correct. The manually modified source should look like this;
This modification also requires itunesrpc.py to be modified to pass through file names, not file paths.
Although this modification is "quick and dirty" it gets the job done. It is the definition of "spaghetti code" and will be fixed to be properly written before the release of debug.4.0.0
References
CWE-78
For more information
If you have any questions or comments about this advisory: