Custom Query (257 matches)

muroar_connect() allows to connect to ~/.roar even when $HOME is not set correctly.

The following errors are in the code:

• A heading slash is enforced
• When $HOME is not set it tries to connect to "/(null)/.roar"
• When $HOME is too long to fit into the buffer it is truncated. This results in a security problem because an attacker may alter $HOME in a way letting µRoar connect to an existing server. This is mostly important for restricted environments like sudo, su, ssh when parts of the env is passed while other is rejected.
• May connect to "/invalid" if snprintf() fails (very unlikely).

Some notes:

• It supported to set the server via $ROAR_SERVER. This does not conflict with the statement above as it may be one of those rejected env variables.
• No buffer overflow was found allowing remote code or data injection. This is why I set it only to "major" not "critical".

Support for roard's own protocol stack for plugins should be removed. It should be replaced by the common protocol interface (See #257).

Steps to be done:

• Announce the removal.
• Convert all plugins within the RoarAudio project's domain to the new interface.
• Remove support.

Other important stuff:

• The actual removal should not happen before two releases after the release in which #257 was closed.
• The current stack allows accessing roard's listen socket object. There should be an interface for this if needed.
• A warning should be generated when this feature is used.

roard's sched support should be removed. roard supports the successor AppSched? (which does support the same as roard's sched but more).

The plugin API of roard needs a ABI version change. This should also be announced before the removal so plugin writers can migrate.