search

jcorporation / myMPD

myMPD is a standalone and mobile friendly web mpd client with a tiny footprint and advanced features.
https://jcorporation.github.io/myMPD/
GNU General Public License v3.0
418 stars 65 forks source link

Cannot use Umlauts in playlist name #111

Closed onkobu closed 5 years ago

onkobu commented 5 years ago

When saving a playlist with a name that contains Umlauts first a JavaScript alert appears with the Umlaut. After clicking OK it disappears and the file name is annotated with »Invalid Filename«.

Nevertheless I can create the playlist by replacing for example ö with oe (Hörspiel -> Hoerspiel), then change to mpd's playlist-directory, rename the m3u-file to contain ö again and use/ edit/ browse it happily in myMPD.

To Reproduce

  1. Add something to the queue
  2. Save as playlist
  3. Enter name with Umlaut, e.g. Hörspiel
  4. See error

Expected behavior Playlist is saved no matter what (regular UTF-8) characters are put in.

Desktop (please complete the following information):

jcorporation commented 5 years ago

myMPD supports only alphanumeric characters in playlist for security reasons. I look how I can support all UTF-8 characters without compromising security.

onkobu commented 5 years ago

Is this something caused by sanitizing input a bit too restrictive, a regular expression with a-zA-Z0-9? Then simply add äöüÄÖÜß in the character class. And I didn't check if the backend also rejects magic characters, so maybe this affects front- and backend?

jcorporation commented 5 years ago

The filenames are also checked in the backend. The frontend checks are only for better usability, not for safety. Adding only special german characters to the allowed character list don't solves the problem at all. I think a blacklist approach could be better in this case. I will look in the mpd source, how there the filenames are restricted and migrate this approach to myMPD.

jcorporation commented 5 years ago

checked mpd disallows only \r, \n and / characters in playlist names.

jcorporation commented 5 years ago

Fix is now in devel. I close this issue.

onkobu commented 5 years ago

There is an issue with that in function saveQueue, variable from does no longer exist but is used to call validate_plname. This ought to be var a instead (result of document.getElementById…"saveQueueName").value). Fixing this makes it work like a charm. Keeping it as is makes saving any playlist impossible: undefined variable from.

In addition the new subdir-feature to create the URLs/ basename is a great feature, esp. when proxying.

jcorporation commented 5 years ago

Bug confirmed, will be fixend in next release