Of course, mode=0700 is more secure, but allowing other users access
to new directories is a choice the user should make via umask(). If
the user-chosen umask allows everybody access, MPD should probably
respect that.
The function spl_valid_name() should verify playlist names and prevent
path traversal, but it failed to do so on Windows, because it forgot
to check for backslashes.
This buggy piece of code was already present when stored playlists
were initially implemented in 2006 by commit 08003904d7, and
even during the many rounds of code refactoring, nobody ever bothered
to verify it. D'oh!
(Thanks, Paul Arzelier)
snprintf() does not return the (truncated) length actually written,
but the length that would be needed if the buffer were large enough.
This API usage mistake in FormatLastError() can lead to overflow of
the stack buffer, crashing the process (Windows only).
Closes https://github.com/MusicPlayerDaemon/MPD/issues/1676
If no archive library was found, return from the "plugins" directory
without creating "libarchive_plugins.a". Empty static libraries are
unsupported on some operating systems such as macOS.
Closes https://github.com/MusicPlayerDaemon/MPD/issues/1650
According to the latest WebDAV specification (RFC4918),
timestamp string in the getlastmodified property is formatted
as rfc1123-date, such as "Sun, 06 Nov 1994 08:49:37 GMT".
However, to process responses from servers in the older style
format specified in RFC2518, timestamps in the HTTP-date format
had better be accepted.
As described in the libcurl api documentation, curl_getdate() can handle
timestamp strings in HTTP-date formats, including rfc1123-date.
https://www.rfc-editor.org/rfc/rfc4918#section-15.7https://www.rfc-editor.org/rfc/rfc2518.html#section-13.7https://curl.se/libcurl/c/curl_getdate.html
This fixes a bug introduced in 87fa6bca where the FLAC encoder fails to
initialize unless libFLAC is built with Ogg support. When libFLAC is
built without Ogg support, FLAC__stream_encoder_set_ogg_serial_number
unconditionally returns false.
Max Kellermann