Merge pull request #20 from gordielachance/2.0.8

2 0 8
2017-12-04 11:35:04 +01:00 · 2017-12-04 11:35:04 +01:00 · 577181bb73
parent f0649bf2b5 f7ccef89ef
commit 577181bb73
4 changed files with 14 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,12 @@
 # Changelog

+## v2.0.8
+Released 29th November 2017 (by Heruwar)
+* Fixes a security issue where the password is sent as plaintext in the URL query parameters when methods from libsonic_extas are used. 
+Also adds Subsonic hex encoding when using legacy auth.
+* Adds support for URL paths like https://hostname.com/subsonic as requested in Github issue #17 and also encountered in some of the reports (#14 and #5)
+* Fixes an error when the password only contains digits, which simpleplugin converts to a Long, which later fails when libsonic tries to salt the password expecting a string.
+
 ## v2.0.7
 Released 18 April 2017
 * Added Search (by silascutler)
--- a/addon.xml
+++ b/addon.xml
@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<addon id="plugin.audio.subsonic" name="Subsonic" version="2.0.7" provider-name="BasilFX,grosbouff,silascutler">
+<addon id="plugin.audio.subsonic" name="Subsonic" version="2.0.8" provider-name="BasilFX,grosbouff,silascutler,Heruwar">
 <requires>
    <import addon="xbmc.python" version="2.14.0"/>
    <import addon="script.module.dateutil" version="2.4.2"/>
--- a/lib/libsonic_extra/init.py
+++ b/lib/libsonic_extra/init.py
@ -60,10 +60,11 @@ class SubsonicClient(libsonic.Connection):
        # Pick a default port
        host = "%s://%s" % (scheme, parts.hostname)
        port = parts.port or {"http": 80, "https": 443}[scheme]
+        path = parts.path.rstrip('/') + '/rest'

        # Invoke original constructor
        super(SubsonicClient, self).__init__(
-            host, username, password, port=port, appName='Kodi', apiVersion=apiversion, insecure=insecure, legacyAuth=legacyauth)
+            host, username, password, port=port, serverPath=path, appName='Kodi', apiVersion=apiversion, insecure=insecure, legacyAuth=legacyauth)

    def getIndexes(self, *args, **kwargs):
        """
@ -292,7 +293,8 @@ class SubsonicClient(libsonic.Connection):
            parts = list(urlparse.urlparse(
                args[0].get_full_url() + "?" + args[0].data))
            parts[4] = dict(urlparse.parse_qsl(parts[4]))
-            parts[4].update({"u": self.username, "p": self.password})
+            if self._legacyAuth:
+                parts[4].update({"u": self.username, "p": 'enc:%s' % self._hexEnc(self._rawPass)})
            parts[4] = urllib.urlencode(parts[4])

            return urlparse.urlunparse(parts)
--- a/main.py
+++ b/main.py
@ -51,8 +51,8 @@ def get_connection():
        try:
            connection = libsonic_extra.SubsonicClient(
                Addon().get_setting('subsonic_url'),
-                Addon().get_setting('username'),
-                Addon().get_setting('password'),
+                Addon().get_setting('username', convert=False),
+                Addon().get_setting('password', convert=False),
                Addon().get_setting('apiversion'),
                Addon().get_setting('insecure') == 'true',
                Addon().get_setting('legacyauth') == 'true',