Colons in directory and file names cause trouble

brbukh · October 5, 2014, 3:41pm

Before getting to the bug report, I want to congratulate the authors on the excellent work. Volumio is great!

The problem: the directory and file names that contain the colon symbol (i.e. “:”) are handled incorrectly. If a directory contains a colon, then it only the part of the name preceding the colon is shown, and the content of the directly is listed as empty. If a filename contains a colon, then the file is not shown.

System details: I am not sure if the following matters, but it might help the troubleshooting. The files are located on a NAS mounted via NFS. The system is Raspberry Pi B+ running volumio 1.41 downloaded from sourceforge.net/projects/volumio … p/download

Disclaimer: I do not claim that the colon is the only symbol that causes the problem; I have not tested. It is possible that the same piece of code chokes on other symbols too.

Thanks,
Boris

jotak · October 5, 2014, 4:16pm

You’re absolutely right. There’s a bug here : github.com/jotak/Volumio-WebUI/ … b.php#L301 line 301 , I’ll propose a patch, if michelangelo doesn’t fix it before…

Thanks for the issue report

Issue opened: github.com/volumio/Volumio-WebUI/issues/39

jotak · October 5, 2014, 7:41pm

brbukh, a fix has been made, waiting to be released. If you can’t wait , here’s how to proceed:

Connect to your pi and go under /var/www/inc , edit player_lib.php
Search for text:
explode(": ",$plistLine and add ,2 =>
explode(": ",$plistLine,2)

You should find 2 occurrences of that

Reboot your pi, enjoy

brbukh · October 5, 2014, 10:16pm

Thanks, jotak! I have made the changes. Thanks for locating the bug so quickly!

Looking at the code you linked to, there is a red flag that caught my attention:

The function sysCmd runs shell, and is invoked typically like so sysCmd(“command parameter1 parameter2”). The parameters often come from the outside (these typically include file names). While I do not immediately see a security concern (webradio maybe?), but it looks like a disaster waiting to happen. I have not tried, but my guess is that the filenames or NAS names that include apostrophes, quotes, pipes, and other shell-unfriendly symbols will break this code in lots of places. I am not familiar with PHP programming, but in other languages the standard solution is to pass parameters separately from the path to the program being executed.

Again, thanks!

jotak · October 6, 2014, 7:45am

I must say there’s a big part of the PHP code in volumio that I don’t fully understand why it’s there, and that sometimes looks weird. Concerning sysCmd, there’s a lot of calls indeed, but I don’t see any user-supplied arguments that would be given to it. When it’s parametrized, it’s most of the time with data that comes from DB and/or files config.

That said, I wouldn’t argue however that it’s 100% secure of course, there’s already been some feature requests to improve security, there’s a lot of files with 777 rights I’m not sure if it’s a good idea. And of course, I’m sure that anybody who wants to help improving security will be welcomed!