winamp 5.05 breaks open source notifier

[blackgizmo]

I use to have album art notifications. Now they don't work. I noticed it happened right after I upgraded to 5.05. It happens for any skin that uses the open source notifier. (Classix Player, LayerOne) Now it just shows a broken website where the album art image should be. Is this happening to anyone else? I tried redownloading the skins, but nope. Any ideas?

EDIT: After reinstalling 5.04, everything works. Perhaps it was a new 5.05 security feature?

[DJ Egg]

[changed topic title accordingly]

Yup. It is the new security patch in 5.05 causing this.
Good to know that the patch is working!

html files are no longer extracted...
so "opensource_notifier/html/cdcover.html" won't be extracted
and therefore cover art can't be displayed :/

I'm not sure if cdcover.html can be added to the safelist, because it then leaves the possibility of it being exploited by some malicious 3rd-party.

Two workarounds...

1. The open source notifier people make it so it links to cdcover.html on a remote server, instead of on the local machine.

2. You rename the .wal to .zip
and then extract all files within to a subfolder in the Skins dir. This makes it so the skin is instantly usable without the need to decompress the files into a temp dir (which is the way the default Winamp Modern skin works).
You can then remove the wal/zip file afterwards.

[Mr Jones]

Does seem a little extreme considering you can still force winamp to open an HTML page from the web withing in a skin, check out some of my skins that feature a "homepage" window in them, or "click here to visit website" buttons in them, what's to stop me loading up a malicious page that way?

If you are gonna break it so winamp won't load html, then there also needs to be a recompile of wasabi to stop people using the system.navigateUrl command in Maki.


/edit, if anyone is using Lounge, Boxor, Kjofol or Assmosis then I'll be doing a rebuild of them later to remove the album cover stuff.

[DJ Egg]

You could make an alternative nsis installer for the cover art version, which extracts the wal to a folder on install...?

[Mr Jones]

Could do, only one snag with that, this site dosn't accept skins in the exe format, so it's kind of back to square one.

Holding the HTML on another site is an option, so that the script can be run remotely, but how long until someone takes advantage of that and runs a malicious script remotely, to be honest I'm amazed it hasn't been done before now, that was the first thought I had when I discovered I could open remote HTML in a skin 4 years ago.

In this instance it's probably easier to remove the option totaly, kind of buggers up the idea of having a totaly flexible skin engine however :/

[DJ Egg]

Yeah

Alas, security must come first these days :/

I was thinking more along the lines of hosting the nsis installer exe's on a different site to winamp.com, eg. fusionamp.com


Re: running remote html
Any skins running malicious scripts etc won't make it on to the winamp site, so it's entirely up to the user if they install skins from a non-trusted source. The main thing is that the skins won't be able to install and run automatically like they did before.

[Mr Jones]

I wouldn't count on that, I'll be buggered if I'm clicking on any suspicious links that might be in skins submitted, never know what they might do

Anyhow, for my part the skins I've done for Nullsoft Skinz will be updated at the latest tomorrow, done the recompile of them and removed the album cover stuff, just need to test them for a bit to make sure they don't borke in any other way.

[blackgizmo]

thanks for the help guys, was driving me nuts trying to find out what was wrong

[DJ Egg]

Quote:

Originally posted by Mr Jones
I wouldn't count on that, I'll be buggered if I'm clicking on any suspicious links that might be in skins submitted, never know what they might do

Then I guess that things will probably need to change in that department

[eh?one]

it would be nice if nullsoft could host a common album cover server for use in winamp5, but we all know that's not likely to happen without some kind of partnership with amazon...

[Wildrose-Wally]

I reckon that will be the end of accepting skins that link to outside HTML. Even though most of those links are in the sponsored skins, those will not be effected as Nullsoft staff reviews those.

However, the other ones will be effected, sorry.

[saivert]

There should be a major recompile of the entire Modern Skins engine in Winamp 5 series.
Today Winamp uses the WebBrowser control (Internet Explorer server) to display HTML content which imposes a security risk. Winamp should have it's own HTML rendering library which would only render the HTML content without executing VBScript/JScript embedded in the HTML. I know there are some open source HTML renderers out there which could easily be used in Winamp (but then Winamp had to be open source too, right??).

It's something to think about...

Microsoft is releasing Service Pack 2 to Windows XP which will have a lot of security fixes for Internet Explorer. Doubt that it will help much... A popup-blocker has been available as 3rd party software for years, and we like Mozilla Firefox and Opera much more anyway.

[DJ Egg]

Well, the only html used in the default winamp client is in the media library, ie. for the Minibrowser (Now Playing) and Info Viewer.

The Info Viewer uses info.winamp.com only and is pretty safe,
and the minibrowser already has the option to "not allow web content to execute javascript and ActiveX" (which is enabled by default)... so I don't really see the problem there.

Hmm... ponderous, heh.

[saivert]

I know this, but the Media Library's Minibrowser (a.k.a Now playing page) isn't part of the Modern Skins support (gen_ff.dll plug-in).

Modern Skins have access to a lot of the stuff originally created for Winamp 3 (wasabi) which means MAKI script language and varius <browser> XML tags. All of this can be malicious. And it really doesn't help that Internet Explorer are pulled in to display HTML content. And we all know how bad Internet Explorer is when it comes to security... I rest my case!

[Gonzotek]

When loading remote html, IE uses the "Internet Zone" restrictions, and *shouldn't*(if this were the best of all possible worlds) be allowed to do anything malicious. The security exploit was possible because Winamp was loading the html from the local machine, and that placed it in the "Local" Zone which is pretty much unrestricted in regards to how it can interact with the system. Now, this is prevented by only allowing "safe" file extensions to be extracted from the wal or wsz, thus never extracting and running a local html file.

Using another HTML renderer would add a lot of overhead to the Winamp package, and wouldn't necessarily make Winamp more secure. See the (very) recent Mozilla security updates, for instance. Had Winamp been using an unpatched version of the Mozilla rendering control, it pretty much would have allowed the same basic exploit, with only minor differences in how it was achieved.

-=Gonzotek=-

[DJ Egg]

what ^he^ said

[saivert]

Quote:

Originally posted by DJ Egg
what ^he^ said

Maybe you agree with Gonzotek, but even if Mozilla is just as unsecure it is just because Mozilla also supports scripts. HTML documents can't do anything malicious (or not malicious) if scripting support was removed from the HTML parser.
HTML should only be used for displaying graphics and formatted text when in the context of Winamp Skins. If people require scripting then they have access to the MAKI language. Generate HTML using MAKI and direct the HTML graphics and formatting only rendere to display the HTML to the user.

Is it so hard to get??

[CraigF]

IE can remove the scripting ability. big deal.

besides, if you remove the scripting, things like the album art is moot since you couldnt instatiate anything to parse the xml.

seriously saivert, rather than shout out rants, prehaps you should be asking questions.

course, i suppose asking if we get it is a question. so i'll answer. yes, we do.

[DJ Egg]

Quote:

Originally posted by DJ Egg
what ^he^ said

[Im1985]

I didn't really understand the lengthy conversation above, and I'm still a bit confused.. is it at all possible to get cover-art notifiers in WA5.05?

[Mr Jones]

Nope, not skins using the open source notifier project.

Although there are plugins out there that will give you notifiers with album covers, Toaster for example.

http://www.winamp.com/plugins/details.php?id=138586

[ampewin]

Happened to me too. Something (but definetely not winamp5.05) broke the opensource notifier. It displayed something about XML updates etc.

The solution is pretty simple really. I just deleted studio.xnf and now everything is fine.

Of course I lost all winamp modern skins settings but that is just a few so no problem at all

EDIT:
Just read the whole post. Open source notifier worked for me with winamp 5.05 because I was using the default winamp modern skin with the open source notifier I have added manually (can't get detached from the default skin). So the skin was not packed as a wal and so no file extracting was taking place.

So would't it be better to just extract the open-source-notifier skins manually instead of modifying the existing skins? TIP! TIP!

[DJ Egg]

Already mentioned further up :/

(ie. in my first reply)

[ampewin]

Oops, sorry...

[DJ Egg]

hehe, no problem