Bug 1669 – setting username to 'squeezebox' in Server Settings -> Security breaks audio

Bug 1669 - setting username to 'squeezebox' in Server Settings -> Security breaks audio

Summary:

setting username to 'squeezebox' in Server Settings -> Security breaks audio

Status:	RESOLVED FIXED

Product:	Logitech Media Server
Classification:	Unclassified
Component:	Audio
Version:	6.1.0
Platform:	All All

Importance:	P2 normal (vote)
Target Milestone:	---
Assigned To:	Dan Sully

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2005-06-13 11:32 UTC by Kevin Pearsall
Modified:	2009-09-08 09:26 UTC (History)
CC List:	0 users

See Also:
Category:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kevin Pearsall 2005-06-13 11:32:35 UTC

Customer reported--wow, i would not have caught this myself...
--------------------------------------------------------------
Bad news: Nightly build doesn't work either.
Good news: I found the bug by browsing through the source.

For stream.mp3 the communication between Squeezebox and web server is done
by using the username 'squeezebox' (and maybe other names) and a random
password. That's exactly the username I picked for the web interface. This
breaks the communication for the Squeezebox.

When I change my username to something different, everything works fine.

Thanks for helping. I hope the details below help too :)

- Richard

Details:
Slim/Web/HTTP.pm checks first for the username/password, then for the client
passwords. This breaks when the chosen username is a client name. This could
be solved by removing the else in line 1937 so the client password check
block in lines 1939-1946 would always get a chance to run, even if the
username is set to squeezebox.


1923 : daniel  675   if ($username eq Slim::Utils::Prefs::get('username')) {
1924 : dean  2
1925 : daniel  675    my $pwd  = Slim::Utils::Prefs::get('password');
1926 :
1927 :         if ($pwd eq $password && $pwd eq '') {
1928 :
1929 :          $ok = 1;
1930 :
1931 :         } else {
1932 :
1933 :          my $salt = substr($pwd, 0, 2);
1934 : kdf  1677     $ok = 1 if crypt($password, $salt) eq $pwd;
1935 : daniel  675    }
1936 :
1937 : dean  2   } else {
1938 :
1939 : daniel  675    foreach my $client (Slim::Player::Client::clients()) {
1940 :
1941 :          if (defined($client->password()) && $client->password() eq
$password) {
1942 :           $ok = 1;
1943 :           last;
1944 :          }
1945 :         }
1946 : dean  2   }

Comment 1 Dan Sully 2005-08-23 22:33:52 UTC

I don't understand this bug at all.. SB1/SB2 don't send a username/password, do they?

Comment 2 Blackketter Dean 2005-08-23 23:03:24 UTC

Actually, SB/SB2 does send a name/password when connecting for their stream, the password is in 
$client->password() and is used when the user has authentication turned on.

A better fix would be not to use "squeezebox" as the default name, as it's not even checked.  Probably 
replace line 618 in Squeezebox.pm: 

				my $password = encode_base64('squeezebox:' . $client->password);

with:

				my $password = encode_base64('squeezeboxXXX:' . $client->password);

would be sufficient.

Comment 3 Dan Sully 2005-08-24 08:45:44 UTC

Fixed in subversion change 4042