Subsonic Forum

[Kirk]

I sure hope somebody's caught this... after upgrading to Subsonic 4.8, I have a "Subsonic Premium" link with a little heart icon right below the "Log out" link.

Any user (even non-administrative) can see this link, and click it.
This is problematic because non-administrative users are given the option to change license information, and\or steal the license key from this page easily.

[regentswift]

I was just about to post about this. What can be done about this?

[regentswift]

My short term security fix (which isn't the best, but keeps people from messing with it) is this:

In the \subsonic\jetty\3423\webapp\WEB-INF\jsp\premium.jsp file:
Delete lines 28 through 81, from "<c:if test="${command.licenseInfo.licenseValid}">" to the last "</c:if>"

In \subsonic\jetty\3423\webapp\WEB-INF\jsp\top.jsp file:
Delete lines 79 through 92, from "<br>" to "</c:choose>"

[sindre_mehus]

Hi,

I fixed this bug a day or two after releasing 4.8 and put out an updated version. I didn't bother to make it 4.8.1, but if you just download and install 4.8 again you should be fine.

Sorry for the inconvenience,
Sindre

[pderwael]

Sindre,

Thank you for this

I will update in a few days, it was just a small detail anyhow!

Keep up the excellent work

[tomm1ed]

Hi,

I fixed this bug a day or two after releasing 4.8 and put out an updated version. I didn't bother to make it 4.8.1, but if you just download and install 4.8 again you should be fine.

Sorry for the inconvenience,
Sindre

Hi Sindre,

Could it be that you didn't update the WAR version as well? Just redeployed the latest on my Tomcat server and the 'Subsonic Premium' link is still there. When I click it tells me 'You have a valid Subsonic Premium license'
The WAR file is dated 17-4-2013 22:25

[pderwael]

Hi Sindre,

Could it be that you didn't update the WAR version as well? Just redeployed the latest on my Tomcat server and the 'Subsonic Premium' link is still there. When I click it tells me 'You have a valid Subsonic Premium license'
The WAR file is dated 17-4-2013 22:25

Hi there

Same here, I have just downloaded and installed 4.8 again (WAR D/T: 17/04/2013 22:25)

[kyomi7502]

Same issue, but I just downloaded (4/29) and installed the Windows version and everywhere it tells me I've got the Subsonic Premium license.
That link is still up there even after a log off/on, service restart and server restart.

[atltrickster]

I have subsonic deployed on a Tomcat server and will be upgrading shortly. For those of you that upgraded prior to a fix being in place, perhaps cleaning the files located in your work directory would resolve the issue you're experiencing.

Sent from my Nexus 4 using Tapatalk 2

[Kirk]

Hi,

I fixed this bug a day or two after releasing 4.8 and put out an updated version. I didn't bother to make it 4.8.1, but if you just download and install 4.8 again you should be fine.

Sorry for the inconvenience,
Sindre

Thanks for the update, Sindre. I'll go ahead and do this.

Keep up the excellent work

I'll second that!

Kirk

[ladfrombrad]

Hi,

I fixed this bug a day or two after releasing 4.8 and put out an updated version. I didn't bother to make it 4.8.1, but if you just download and install 4.8 again you should be fine.

Sorry for the inconvenience,
Sindre

Hi Sindre!

I just installed Subsonic 4.8 on a new Ubuntu install and I'm still seeing the Subsonic Premium link with non-admin accounts after activating my license. Now they can't change it like you can do with a admin account, but they can see my email that I registered with.

Am I missing something here as IIRC that wasn't visible in previous versions, right?

[argh1980]

HI,

I just added a user for the first time and noticed the account can see the registration email, why?

I just updated to 4.9 beta thinking it may be fixed but it's the same in that version too. This must be a bug when will it be fixed is there a hack to the source code that can remove it?

Can I put a fictional email address in there?

[ladfrombrad]

This must be a bug when will it be fixed is there a hack to the source code that can remove it?

Yeah, I still get it going from 4.8 to the 4.9 beta and have had to use regentswift's 'fix' from above still.

My short term security fix (which isn't the best, but keeps people from messing with it) is this:

In the \subsonic\jetty\3423\webapp\WEB-INF\jsp\premium.jsp file:
Delete lines 28 through 81, from "<c:if test="${command.licenseInfo.licenseValid}">" to the last "</c:if>"

In \subsonic\jetty\3423\webapp\WEB-INF\jsp\top.jsp file:
Delete lines 79 through 92, from "<br>" to "</c:choose>"

edit: Note the \3423\ in the above file structure will be different for each version of Subsonic you have installed.

[argh1980]

I am on Windows 7 so don't seem to have that directory structure.

Looking through this thread it's been going on since April 17th so I can't see the developers fixing it anytime soon.