Old 29th August 2004, 02:55   #1
blackgizmo
Junior Member
 
Join Date: Aug 2004
Location: USA
Posts: 6
Send a message via AIM to blackgizmo
upgrading winamp broke notifications

I use to have album art notifications. Now they don't work. I noticed it happened right after I upgraded to 5.05. It happens for any skin that uses the open source notifier. (Classix Player, LayerOne) Now it just shows a broken website where the album art image should be. Is this happening to anyone else? I tried redownloading the skins, but nope. Any ideas?

EDIT: After reinstalling 5.04, everything works. Perhaps it was a new 5.05 security feature?

Last edited by blackgizmo; 29th August 2004 at 03:49.
blackgizmo is offline   Reply With Quote
Old 29th August 2004, 08:11   #2
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
[changed topic title accordingly]

Yup. It is the new security patch in 5.05 causing this.
Good to know that the patch is working!

html files are no longer extracted...
so "opensource_notifier/html/cdcover.html" won't be extracted
and therefore cover art can't be displayed :/

I'm not sure if cdcover.html can be added to the safelist, because it then leaves the possibility of it being exploited by some malicious 3rd-party.

Two workarounds...

1. The open source notifier people make it so it links to cdcover.html on a remote server, instead of on the local machine.

2. You rename the .wal to .zip
and then extract all files within to a subfolder in the Skins dir. This makes it so the skin is instantly usable without the need to decompress the files into a temp dir (which is the way the default Winamp Modern skin works).
You can then remove the wal/zip file afterwards.
DJ Egg is offline   Reply With Quote
Old 29th August 2004, 18:30   #3
Mr Jones
Nothing to say...
 
Mr Jones's Avatar
 
Join Date: Sep 2000
Location: UK
Posts: 23,064
Does seem a little extreme considering you can still force winamp to open an HTML page from the web withing in a skin, check out some of my skins that feature a "homepage" window in them, or "click here to visit website" buttons in them, what's to stop me loading up a malicious page that way?

If you are gonna break it so winamp won't load html, then there also needs to be a recompile of wasabi to stop people using the system.navigateUrl command in Maki.


/edit, if anyone is using Lounge, Boxor, Kjofol or Assmosis then I'll be doing a rebuild of them later to remove the album cover stuff.
Mr Jones is offline   Reply With Quote
Old 29th August 2004, 18:54   #4
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
You could make an alternative nsis installer for the cover art version, which extracts the wal to a folder on install...?
DJ Egg is offline   Reply With Quote
Old 29th August 2004, 18:59   #5
Mr Jones
Nothing to say...
 
Mr Jones's Avatar
 
Join Date: Sep 2000
Location: UK
Posts: 23,064
Could do, only one snag with that, this site dosn't accept skins in the exe format, so it's kind of back to square one.

Holding the HTML on another site is an option, so that the script can be run remotely, but how long until someone takes advantage of that and runs a malicious script remotely, to be honest I'm amazed it hasn't been done before now, that was the first thought I had when I discovered I could open remote HTML in a skin 4 years ago.

In this instance it's probably easier to remove the option totaly, kind of buggers up the idea of having a totaly flexible skin engine however :/
Mr Jones is offline   Reply With Quote
Old 29th August 2004, 19:03   #6
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
Yeah

Alas, security must come first these days :/

I was thinking more along the lines of hosting the nsis installer exe's on a different site to winamp.com, eg. fusionamp.com


Re: running remote html
Any skins running malicious scripts etc won't make it on to the winamp site, so it's entirely up to the user if they install skins from a non-trusted source. The main thing is that the skins won't be able to install and run automatically like they did before.
DJ Egg is offline   Reply With Quote
Old 29th August 2004, 19:22   #7
Mr Jones
Nothing to say...
 
Mr Jones's Avatar
 
Join Date: Sep 2000
Location: UK
Posts: 23,064
I wouldn't count on that, I'll be buggered if I'm clicking on any suspicious links that might be in skins submitted, never know what they might do

Anyhow, for my part the skins I've done for Nullsoft Skinz will be updated at the latest tomorrow, done the recompile of them and removed the album cover stuff, just need to test them for a bit to make sure they don't borke in any other way.
Mr Jones is offline   Reply With Quote
Old 29th August 2004, 21:14   #8
blackgizmo
Junior Member
 
Join Date: Aug 2004
Location: USA
Posts: 6
Send a message via AIM to blackgizmo
thanks

thanks for the help guys, was driving me nuts trying to find out what was wrong
blackgizmo is offline   Reply With Quote
Old 29th August 2004, 22:41   #9
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
Quote:
Originally posted by Mr Jones
I wouldn't count on that, I'll be buggered if I'm clicking on any suspicious links that might be in skins submitted, never know what they might do
Then I guess that things will probably need to change in that department
DJ Egg is offline   Reply With Quote
Old 30th August 2004, 04:40   #10
eh?one
Senior Member
 
eh?one's Avatar
 
Join Date: Feb 2003
Location: canada, eh?
Posts: 296
it would be nice if nullsoft could host a common album cover server for use in winamp5, but we all know that's not likely to happen without some kind of partnership with amazon...
eh?one is offline   Reply With Quote
Old 30th August 2004, 06:16   #11
Wildrose-Wally
The Albertan
 
Join Date: Mar 2001
Posts: 6,122
I reckon that will be the end of accepting skins that link to outside HTML. Even though most of those links are in the sponsored skins, those will not be effected as Nullsoft staff reviews those.

However, the other ones will be effected, sorry.
Wildrose-Wally is offline   Reply With Quote
Old 30th August 2004, 07:05   #12
saivert
Banned
 
saivert's Avatar
 
Join Date: Jan 2001
Location: Norway
Posts: 927
There should be a major recompile of the entire Modern Skins engine in Winamp 5 series.
Today Winamp uses the WebBrowser control (Internet Explorer server) to display HTML content which imposes a security risk. Winamp should have it's own HTML rendering library which would only render the HTML content without executing VBScript/JScript embedded in the HTML. I know there are some open source HTML renderers out there which could easily be used in Winamp (but then Winamp had to be open source too, right??).

It's something to think about...

Microsoft is releasing Service Pack 2 to Windows XP which will have a lot of security fixes for Internet Explorer. Doubt that it will help much... A popup-blocker has been available as 3rd party software for years, and we like Mozilla Firefox and Opera much more anyway.
saivert is offline   Reply With Quote
Old 30th August 2004, 07:35   #13
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
Well, the only html used in the default winamp client is in the media library, ie. for the Minibrowser (Now Playing) and Info Viewer.

The Info Viewer uses info.winamp.com only and is pretty safe,
and the minibrowser already has the option to "not allow web content to execute javascript and ActiveX" (which is enabled by default)... so I don't really see the problem there.

Hmm... ponderous, heh.
DJ Egg is offline   Reply With Quote
Old 30th August 2004, 12:50   #14
saivert
Banned
 
saivert's Avatar
 
Join Date: Jan 2001
Location: Norway
Posts: 927
I know this, but the Media Library's Minibrowser (a.k.a Now playing page) isn't part of the Modern Skins support (gen_ff.dll plug-in).

Modern Skins have access to a lot of the stuff originally created for Winamp 3 (wasabi) which means MAKI script language and varius <browser> XML tags. All of this can be malicious. And it really doesn't help that Internet Explorer are pulled in to display HTML content. And we all know how bad Internet Explorer is when it comes to security... I rest my case!
saivert is offline   Reply With Quote
Old 30th August 2004, 13:16   #15
Gonzotek
Gunslinger
 
Gonzotek's Avatar
 
Join Date: May 2000
Location: Terminus
Posts: 4,693
When loading remote html, IE uses the "Internet Zone" restrictions, and *shouldn't*(if this were the best of all possible worlds) be allowed to do anything malicious. The security exploit was possible because Winamp was loading the html from the local machine, and that placed it in the "Local" Zone which is pretty much unrestricted in regards to how it can interact with the system. Now, this is prevented by only allowing "safe" file extensions to be extracted from the wal or wsz, thus never extracting and running a local html file.

Using another HTML renderer would add a lot of overhead to the Winamp package, and wouldn't necessarily make Winamp more secure. See the (very) recent Mozilla security updates, for instance. Had Winamp been using an unpatched version of the Mozilla rendering control, it pretty much would have allowed the same basic exploit, with only minor differences in how it was achieved.

-=Gonzotek=-

I was away for a while.
But I'm feeling much better now.
Gonzotek is offline   Reply With Quote
Old 30th August 2004, 19:36   #16
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
what ^he^ said
DJ Egg is offline   Reply With Quote
Old 31st August 2004, 10:14   #17
saivert
Banned
 
saivert's Avatar
 
Join Date: Jan 2001
Location: Norway
Posts: 927
Hmm...

Quote:
Originally posted by DJ Egg
what ^he^ said
Maybe you agree with Gonzotek, but even if Mozilla is just as unsecure it is just because Mozilla also supports scripts. HTML documents can't do anything malicious (or not malicious) if scripting support was removed from the HTML parser.
HTML should only be used for displaying graphics and formatted text when in the context of Winamp Skins. If people require scripting then they have access to the MAKI language. Generate HTML using MAKI and direct the HTML graphics and formatting only rendere to display the HTML to the user.

Is it so hard to get??
saivert is offline   Reply With Quote
Old 31st August 2004, 12:15   #18
CraigF
Passionately Apathetic
Administrator
 
CraigF's Avatar
 
Join Date: May 2000
Location: Hell
Posts: 5,435
IE can remove the scripting ability. big deal.

besides, if you remove the scripting, things like the album art is moot since you couldnt instatiate anything to parse the xml.

seriously saivert, rather than shout out rants, prehaps you should be asking questions.

course, i suppose asking if we get it is a question. so i'll answer. yes, we do.

CraigF is offline   Reply With Quote
Old 31st August 2004, 19:32   #19
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
Quote:
Originally posted by DJ Egg
what ^he^ said
DJ Egg is offline   Reply With Quote
Old 5th September 2004, 07:33   #20
Im1985
Junior Member
 
Join Date: Dec 2003
Posts: 16
I didn't really understand the lengthy conversation above, and I'm still a bit confused.. is it at all possible to get cover-art notifiers in WA5.05?
Im1985 is offline   Reply With Quote
Old 5th September 2004, 08:54   #21
Mr Jones
Nothing to say...
 
Mr Jones's Avatar
 
Join Date: Sep 2000
Location: UK
Posts: 23,064
Nope, not skins using the open source notifier project.

Although there are plugins out there that will give you notifiers with album covers, Toaster for example.

http://www.winamp.com/plugins/details.php?id=138586
Mr Jones is offline   Reply With Quote
Old 5th September 2004, 14:33   #22
ampewin
Member
 
Join Date: Mar 2004
Posts: 68
Happened to me too. Something (but definetely not winamp5.05) broke the opensource notifier. It displayed something about XML updates etc.

The solution is pretty simple really. I just deleted studio.xnf and now everything is fine.

Of course I lost all winamp modern skins settings but that is just a few so no problem at all

EDIT:
Just read the whole post. Open source notifier worked for me with winamp 5.05 because I was using the default winamp modern skin with the open source notifier I have added manually (can't get detached from the default skin). So the skin was not packed as a wal and so no file extracting was taking place.

So would't it be better to just extract the open-source-notifier skins manually instead of modifying the existing skins? TIP! TIP!
ampewin is offline   Reply With Quote
Old 5th September 2004, 15:23   #23
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
Already mentioned further up :/

(ie. in my first reply)
DJ Egg is offline   Reply With Quote
Old 5th September 2004, 17:14   #24
ampewin
Member
 
Join Date: Mar 2004
Posts: 68
Oops, sorry...
ampewin is offline   Reply With Quote
Old 5th September 2004, 18:44   #25
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
hehe, no problem
DJ Egg is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Winamp > Winamp Technical Support

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump