Before getting to the bug report, I want to congratulate the authors on the excellent work. Volumio is great!
The problem: the directory and file names that contain the colon symbol (i.e. “:”) are handled incorrectly. If a directory contains a colon, then it only the part of the name preceding the colon is shown, and the content of the directly is listed as empty. If a filename contains a colon, then the file is not shown.
System details: I am not sure if the following matters, but it might help the troubleshooting. The files are located on a NAS mounted via NFS. The system is Raspberry Pi B+ running volumio 1.41 downloaded from sourceforge.net/projects/volumio … p/download
Disclaimer: I do not claim that the colon is the only symbol that causes the problem; I have not tested. It is possible that the same piece of code chokes on other symbols too.
Thanks, jotak! I have made the changes. Thanks for locating the bug so quickly!
Looking at the code you linked to, there is a red flag that caught my attention:
The function sysCmd runs shell, and is invoked typically like so sysCmd(“command parameter1 parameter2”). The parameters often come from the outside (these typically include file names). While I do not immediately see a security concern (webradio maybe?), but it looks like a disaster waiting to happen. I have not tried, but my guess is that the filenames or NAS names that include apostrophes, quotes, pipes, and other shell-unfriendly symbols will break this code in lots of places. I am not familiar with PHP programming, but in other languages the standard solution is to pass parameters separately from the path to the program being executed.
I must say there’s a big part of the PHP code in volumio that I don’t fully understand why it’s there, and that sometimes looks weird. Concerning sysCmd, there’s a lot of calls indeed, but I don’t see any user-supplied arguments that would be given to it. When it’s parametrized, it’s most of the time with data that comes from DB and/or files config.
That said, I wouldn’t argue however that it’s 100% secure of course, there’s already been some feature requests to improve security, there’s a lot of files with 777 rights I’m not sure if it’s a good idea. And of course, I’m sure that anybody who wants to help improving security will be welcomed!