No announcement yet.

winamp 5.05 breaks open source notifier

  • Filter
  • Time
  • Show
Clear All
new posts

  • winamp 5.05 breaks open source notifier

    I use to have album art notifications. Now they don't work. I noticed it happened right after I upgraded to 5.05. It happens for any skin that uses the open source notifier. (Classix Player, LayerOne) Now it just shows a broken website where the album art image should be. Is this happening to anyone else? I tried redownloading the skins, but nope. Any ideas?

    EDIT: After reinstalling 5.04, everything works. Perhaps it was a new 5.05 security feature?
    Last edited by blackgizmo; 29 August 2004, 03:49.

  • #2
    [changed topic title accordingly]

    Yup. It is the new security patch in 5.05 causing this.
    Good to know that the patch is working!

    html files are no longer extracted...
    so "opensource_notifier/html/cdcover.html" won't be extracted
    and therefore cover art can't be displayed :/

    I'm not sure if cdcover.html can be added to the safelist, because it then leaves the possibility of it being exploited by some malicious 3rd-party.

    Two workarounds...

    1. The open source notifier people make it so it links to cdcover.html on a remote server, instead of on the local machine.

    2. You rename the .wal to .zip
    and then extract all files within to a subfolder in the Skins dir. This makes it so the skin is instantly usable without the need to decompress the files into a temp dir (which is the way the default Winamp Modern skin works).
    You can then remove the wal/zip file afterwards.

    Playlist | Twitter | Albums


    • #3
      Does seem a little extreme considering you can still force winamp to open an HTML page from the web withing in a skin, check out some of my skins that feature a "homepage" window in them, or "click here to visit website" buttons in them, what's to stop me loading up a malicious page that way?

      If you are gonna break it so winamp won't load html, then there also needs to be a recompile of wasabi to stop people using the system.navigateUrl command in Maki.

      /edit, if anyone is using Lounge, Boxor, Kjofol or Assmosis then I'll be doing a rebuild of them later to remove the album cover stuff.


      • #4
        You could make an alternative nsis installer for the cover art version, which extracts the wal to a folder on install...?

        Playlist | Twitter | Albums


        • #5
          Could do, only one snag with that, this site dosn't accept skins in the exe format, so it's kind of back to square one.

          Holding the HTML on another site is an option, so that the script can be run remotely, but how long until someone takes advantage of that and runs a malicious script remotely, to be honest I'm amazed it hasn't been done before now, that was the first thought I had when I discovered I could open remote HTML in a skin 4 years ago.

          In this instance it's probably easier to remove the option totaly, kind of buggers up the idea of having a totaly flexible skin engine however :/


          • #6

            Alas, security must come first these days :/

            I was thinking more along the lines of hosting the nsis installer exe's on a different site to, eg.

            Re: running remote html
            Any skins running malicious scripts etc won't make it on to the winamp site, so it's entirely up to the user if they install skins from a non-trusted source. The main thing is that the skins won't be able to install and run automatically like they did before.

            Playlist | Twitter | Albums


            • #7
              I wouldn't count on that, I'll be buggered if I'm clicking on any suspicious links that might be in skins submitted, never know what they might do

              Anyhow, for my part the skins I've done for Nullsoft Skinz will be updated at the latest tomorrow, done the recompile of them and removed the album cover stuff, just need to test them for a bit to make sure they don't borke in any other way.


              • #8

                thanks for the help guys, was driving me nuts trying to find out what was wrong


                • #9
                  Originally posted by Mr Jones
                  I wouldn't count on that, I'll be buggered if I'm clicking on any suspicious links that might be in skins submitted, never know what they might do
                  Then I guess that things will probably need to change in that department

                  Playlist | Twitter | Albums


                  • #10
                    it would be nice if nullsoft could host a common album cover server for use in winamp5, but we all know that's not likely to happen without some kind of partnership with amazon...


                    • #11
                      I reckon that will be the end of accepting skins that link to outside HTML. Even though most of those links are in the sponsored skins, those will not be effected as Nullsoft staff reviews those.

                      However, the other ones will be effected, sorry.


                      • #12
                        There should be a major recompile of the entire Modern Skins engine in Winamp 5 series.
                        Today Winamp uses the WebBrowser control (Internet Explorer server) to display HTML content which imposes a security risk. Winamp should have it's own HTML rendering library which would only render the HTML content without executing VBScript/JScript embedded in the HTML. I know there are some open source HTML renderers out there which could easily be used in Winamp (but then Winamp had to be open source too, right??).

                        It's something to think about...

                        Microsoft is releasing Service Pack 2 to Windows XP which will have a lot of security fixes for Internet Explorer. Doubt that it will help much... A popup-blocker has been available as 3rd party software for years, and we like Mozilla Firefox and Opera much more anyway.


                        • #13
                          Well, the only html used in the default winamp client is in the media library, ie. for the Minibrowser (Now Playing) and Info Viewer.

                          The Info Viewer uses only and is pretty safe,
                          and the minibrowser already has the option to "not allow web content to execute javascript and ActiveX" (which is enabled by default)... so I don't really see the problem there.

                          Hmm... ponderous, heh.

                          Playlist | Twitter | Albums


                          • #14
                            I know this, but the Media Library's Minibrowser (a.k.a Now playing page) isn't part of the Modern Skins support (gen_ff.dll plug-in).

                            Modern Skins have access to a lot of the stuff originally created for Winamp 3 (wasabi) which means MAKI script language and varius <browser> XML tags. All of this can be malicious. And it really doesn't help that Internet Explorer are pulled in to display HTML content. And we all know how bad Internet Explorer is when it comes to security... I rest my case!


                            • #15
                              When loading remote html, IE uses the "Internet Zone" restrictions, and *shouldn't*(if this were the best of all possible worlds) be allowed to do anything malicious. The security exploit was possible because Winamp was loading the html from the local machine, and that placed it in the "Local" Zone which is pretty much unrestricted in regards to how it can interact with the system. Now, this is prevented by only allowing "safe" file extensions to be extracted from the wal or wsz, thus never extracting and running a local html file.

                              Using another HTML renderer would add a lot of overhead to the Winamp package, and wouldn't necessarily make Winamp more secure. See the (very) recent Mozilla security updates, for instance. Had Winamp been using an unpatched version of the Mozilla rendering control, it pretty much would have allowed the same basic exploit, with only minor differences in how it was achieved.

                              I was away for a while.
                              But I'm feeling much better now.