I’ve been using the github version of the Spotify Connect Plugin for a while and today noticed it wasn’t working anymore and according to logs was crashing. I noticed that there was a new version of the plugin 18-02-2018 available so updated to that, but it was still not working.
After looking at the logs more closely I see the problem. The plugin is just blindly taking the entered password and incorporating it into the script starconnect.sh without any quoting or more importantly shell code escaping… See the following log entries:
Mar 02 15:35:13 volumio systemd[1]: Started Volspotconnect2 Daemon.
Mar 02 15:35:13 volumio volumio[2917]: /data/plugins/music_service/volspotconnect2/startconnect.sh: line 3: t7Rz: command not found
Mar 02 15:35:13 volumio systemd[1]: volspotconnect2.service: main process exited, code=exited, status=127/n/a
Mar 02 15:35:13 volumio systemd[1]: Unit volspotconnect2.service entered failed state.
Notice the command not found at the end - it is trying to execute part of my password as a shell commend! The plugin not working corresponded with me changing my spotify password.
Here is an obfuscated version of my password - I’ve changed the characters before the & but left the ones at the end the same:
5EZOvEE&t7Rz
And you can see the command line in startconnect.sh that results from this (username and password also modified)
#this file is generated by the plugin. You should not edit it unless you know what you do. It will be overwrite by the plugin each time a change in config is detected
cd /data/plugins/music_service/volspotconnect2
./librespot -b 320 -c /tmp --disable-discovery -u username -p 5EZOvEE&t7Rz --name 'Volumio' --backend alsa --device plughw:2 --disable-audio-cache --initial-volume 90 --onstart ./onstart1.sh
The ampersand is interpreted as a shell backgrounding command meaning that the following characters are interpreted as a new command, but it could just as easily have been a semicolon.
Apart from causing the service to fail it allows arbitrary code execution as the volumio user by entering a crafted password into the web interface.
It looks like there is an additional problem, even in Multi-User device mode where a username and password are not required, the service is still crashing when a client device (iPhone running spotify) tries to connect:
Mar 02 16:06:15 volumio volumio[973]: INFO:librespot_core::session: Connecting to AP "gew1-accesspoint-b-5lm8.ap.spotify.com:4070"
Mar 02 16:06:16 volumio volumio[973]: INFO:librespot_core::session: Authenticated as "username" !
Mar 02 16:06:16 volumio volumio[973]: INFO:librespot::audio_backend::alsa: Using alsa sink
Mar 02 16:06:16 volumio volumio[973]: INFO:librespot_core::session: Country: "GB"
Mar 02 16:06:16 volumio volumio[973]: thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: WireError(InvalidEnumValue(13))', /checkout/src/libcore/result.rs:906:4
Mar 02 16:06:16 volumio volumio[973]: note: Run with `RUST_BACKTRACE=1` for a backtrace.
Mar 02 16:06:16 volumio systemd[1]: volspotconnect2.service: main process exited, code=exited, status=101/n/a
Mar 02 16:06:16 volumio systemd[1]: Unit volspotconnect2.service entered failed state.
Mar 02 16:06:18 volumio systemd[1]: volspotconnect2.service holdoff time over, scheduling restart.
(I’ve changed the username in the log)
Any ideas why this is not working either ? I’ve been using the older version of the plugin for months now and it only seems to have broken when I changed my spotify password to one that includes an ampersand.
Looks like this issue has already been reported there and is related to changes made at Spotify, so is a coincidence in relation to my password change.
However I’ll report the password escaping problem if it hasn’t already been reported. Thanks for the pointer.
There has been a change at the Spotify end, have a read at ios-spotify-connect-issue-t9193.html (I didn’t mention previously because I thought you had the latest version, but you might want to double check).
Hi!
I will have a look for password. thanks
for the other problem, due to a change in Spotify, the plugin need a update. A version is available in my github repo. Once stable enough, it will be push as an official plugin.
The plugin not working corresponded with me changing my spotify password.
