Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix remote access to images accidentally blocked by Cve 2017 5982 patch #14783

Merged
merged 1 commit into from Nov 3, 2018

Conversation

@DaveTBlake
Copy link
Member

commented Nov 3, 2018

Unfortunately the protection implemented for the CVE 2017 5982 exploit #14501 is still blocking valid remote access to some images, which means missing artwork on Chorus and Kore etc.

Adust it to allow web server and JSON API access to images:

  • embedded in media files (where they are on sources that allow sharing).
    These are requested with path like "image://music@C:\MyMusic\Sheryl Crow\Feels Like Home\01 Shotgun.flac/" and the real path needed more stripping before searching sources.

  • artist art held in the nominated Artist Information folder (that may not be a source)
    This folder is added to the whitelist of valid Kodi folders

@wsnipex a few more adjustments.
@MartijnKaijser I would really like to get this into Beta5 release either by merging quickly or delaying release

Allow remote access to images embedded in music or video files (on so…
…urces that allow share), and to artist art in the nominated Artist Information folder
@DaveTBlake

This comment has been minimized.

Copy link
Member Author

commented Nov 3, 2018

OSX-64 build failure unrelated to this PR.
Tested on Windows 10, and no reason for any platform sensitivity. Art from artist info folder and embedded in music files seen correctly using Chorus whereas previously it was blank.

@wsnipex
wsnipex approved these changes Nov 3, 2018
Copy link
Member

left a comment

Thanks again.
I have to admit, I've never heard of the music artists folder :o

@MartijnKaijser MartijnKaijser merged commit aadfe2e into xbmc:master Nov 3, 2018

1 check failed

default Sorry, building this PR failed. Please check the logs for the errors.
Details
@DaveTBlake

This comment has been minimized.

Copy link
Member Author

commented Nov 3, 2018

You are welcome @wsnipex. FWIW the Artist Info folder was added eariler in v18 to handle local artist art where it isn't possible to organise all music files involving an artist under one unique folder.

Of course this doesn't solve the issue web server access to all images. The problem is art used by Kodi can be anywhere the user chooses, it has never been limited to just Kodi folders and media sources (although that is the most common place). There will be users that notice missing images in apps that talk to Kodi, be they PVR icons or the odd album cover, because they are located somewhere that isn't also a media source or nominated folder. For v18 all we can suggest is that they move them somewhere that is.

@DaveTBlake DaveTBlake referenced this pull request Nov 4, 2018
0 of 6 tasks complete

@DaveTBlake DaveTBlake deleted the DaveTBlake:embeddedartaccess branch Feb 11, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.