ghost
commented
6 years ago Hey, when I tested this without legacy auth it seemed like the salted password and username was always set in the url already, so I'm not really sure what situation one would need to update the username and password that way. If you feel like it's too risky and might break something unexpected feel free to remove that part, just keep in mind that it means passwords will be sent in plaintext again until a better solution is found.
gordielachance
1) Fixes a security issue where the password is sent as plaintext in the URL query parameters when methods from libsonic_extas are used. Also adds Subsonic hex encoding when using legacy auth.
2) Adds support for URL paths like https://hostname.com/subsonic as requested in #17 and also encountered in some of the reports in #14 and #5
3) Fixes an error when the password only contains digits, which simpleplugin converts to a Long, which later fails when libsonic tries to salt the password expecting a string.