Merge tag 'v0.21.10'

release v0.21.10

Merge tag 'v0.21.10'
adffbba2 · Max Kellermann · 120e570d · e2390092 · adffbba2 · adffbba2
Commit adffbba2 authored Jun 05, 2019 by Max Kellermann
5 changed files
--- a/NEWS
+++ b/NEWS
@@ -12,7 +12,11 @@ ver 0.22 (not yet released)
  - ffmpeg: new plugin based on FFmpeg's libavfilter library
  - hdcd: new plugin based on FFmpeg's "af_hdcd" for HDCD playback

-ver 0.21.10 (not yet released)
+ver 0.21.10 (2019/06/05)
+* decoder
+  - opus: fix duplicate tags
+* output
+  - httpd: reject some well-known URIs
 * fix crash bug (0.21.9 regression)

 ver 0.21.9 (2019/05/20)

--- a/src/decoder/plugins/OpusReader.hxx
+++ b/src/decoder/plugins/OpusReader.hxx
 /*
- * Copyright 2003-2018 The Music Player Daemon Project
+ * Copyright 2003-2019 The Music Player Daemon Project
 * http://www.musicpd.org
 *
 * This program is free software; you can redistribute it and/or modify
@@ -20,6 +20,8 @@
 #ifndef MPD_OPUS_READER_HXX
 #define MPD_OPUS_READER_HXX

+#include "util/StringView.hxx"
+
 #include <algorithm>

 #include <stdint.h>
@@ -81,18 +83,16 @@ public:
 		return ReadWord(length) && Skip(length);
 	}

-	char *ReadString() {
+	StringView ReadString() {
 		uint32_t length;
-		if (!ReadWord(length) || length >= 65536)
+		if (!ReadWord(length))
 			return nullptr;

 		const char *src = (const char *)Read(length);
 		if (src == nullptr)
 			return nullptr;

-		char *dest = new char[length + 1];
-		*std::copy_n(src, length, dest) = 0;
-		return dest;
+		return {src, length};
 	}
 };


--- a/src/decoder/plugins/OpusTags.cxx
+++ b/src/decoder/plugins/OpusTags.cxx
@@ -24,6 +24,8 @@
 #include "tag/ParseName.hxx"
 #include "ReplayGainInfo.hxx"

+#include <string>
+
 #include <stdint.h>
 #include <string.h>
 #include <stdlib.h>
@@ -91,18 +93,25 @@ ScanOpusTags(const void *data, size_t size,
 		return false;

 	while (n-- > 0) {
-		char *p = r.ReadString();
-		if (p == nullptr)
+		const auto s = r.ReadString();
+		if (s == nullptr)
 			return false;

-		char *eq = strchr(p, '=');
-		if (eq != nullptr && eq > p) {
-			*eq = 0;
+		if (s.size >= 4096)
+			continue;

-			ScanOneOpusTag(p, eq + 1, rgi, handler);
-		}
+		const auto eq = s.Find('=');
+		if (eq == nullptr || eq == s.data)
+			continue;
+
+		auto name = s, value = s;
+		name.SetEnd(eq);
+		value.MoveFront(eq + 1);
+
+		const std::string name2(name.data, name.size);
+		const std::string value2(value.data, value.size);

-		delete[] p;
+		ScanOneOpusTag(name2.c_str(), value2.c_str(), rgi, handler);
 	}

 	return true;

--- a/src/output/plugins/httpd/HttpdClient.cxx
+++ b/src/output/plugins/httpd/HttpdClient.cxx
@@ -71,10 +71,10 @@ HttpdClient::HandleLine(const char *line) noexcept
 	assert(state != State::RESPONSE);

 	if (state == State::REQUEST) {
-		if (memcmp(line, "HEAD /", 6) == 0) {
+		if (strncmp(line, "HEAD /", 6) == 0) {
 			line += 6;
 			head_method = true;
-		} else if (memcmp(line, "GET /", 5) == 0) {
+		} else if (strncmp(line, "GET /", 5) == 0) {
 			line += 5;
 		} else {
 			/* only GET is supported */
@@ -83,8 +83,19 @@ HttpdClient::HandleLine(const char *line) noexcept
 			return false;
 		}

+		/* blacklist some well-known request paths */
+		if ((strncmp(line, "favicon.ico", 11) == 0 &&
+		     (line[11] == '\0' || line[11] == ' ')) ||
+		    (strncmp(line, "robots.txt", 10) == 0 &&
+		     (line[10] == '\0' || line[10] == ' ')) ||
+		    (strncmp(line, "sitemap.xml", 11) == 0 &&
+		     (line[11] == '\0' || line[11] == ' ')) ||
+		    (strncmp(line, ".well-known/", 12) == 0)) {
+			should_reject = true;
+		}
+
 		line = strchr(line, ' ');
-		if (line == nullptr || memcmp(line + 1, "HTTP/", 5) != 0) {
+		if (line == nullptr || strncmp(line + 1, "HTTP/", 5) != 0) {
 			/* HTTP/0.9 without request headers */

 			if (head_method)
@@ -129,7 +140,14 @@ HttpdClient::SendResponse() noexcept

 	assert(state == State::RESPONSE);

-	if (metadata_requested) {
+	if (should_reject) {
+		response =
+			"HTTP/1.1 404 not found\r\n"
+			"Content-Type: text/plain\r\n"
+			"Connection: close\r\n"
+			"\r\n"
+			"404 not found";
+	} else if (metadata_requested) {
 		allocated =
 			icy_server_metadata_header(httpd.name, httpd.genre,
 						   httpd.website,
@@ -415,7 +433,7 @@ HttpdClient::OnSocketInput(void *data, size_t length) noexcept
 		if (!SendResponse())
 			return InputResult::CLOSED;

-		if (head_method) {
+		if (head_method || should_reject) {
 			LockClose();
 			return InputResult::CLOSED;
 		}

--- a/src/output/plugins/httpd/HttpdClient.hxx
+++ b/src/output/plugins/httpd/HttpdClient.hxx
@@ -83,6 +83,11 @@ class HttpdClient final
 	 */
 	bool head_method = false;

+	/**
+	 * Should we reject this request?
+	 */
+	bool should_reject = false;
+
 	/* ICY */

 	/**