Merge branch 'develop' for release v3.26.1

epoupon · Jun 7, 2021 · ae995f3 · ae995f3
2 parents 2c35e1f + 3c51beb
commit ae995f3
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 3 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -8,6 +8,7 @@ set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_STANDARD_REQUIRED True)
 
 include(CTest)
+find_package(PkgConfig REQUIRED)
 find_package(Threads REQUIRED)
 find_package(Filesystem REQUIRED)
 find_package(FFMPEGAV REQUIRED)

diff --git a/INSTALL.md b/INSTALL.md
@@ -173,9 +173,9 @@ server {
 
     location / {
 
+      proxy_set_header        Client-IP $remote_addr;
       proxy_set_header        Host $host;
-      proxy_set_header        X-Real-IP $remote_addr;
-      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header        X-Forwarded-For $remote_addr;
       proxy_set_header        X-Forwarded-Proto $scheme;
 
       proxy_pass          http://localhost:5082/;

diff --git a/README.md b/README.md
@@ -77,6 +77,14 @@ $setmulti(albumartistssort,%_albumartists_sort%)
 * Previous track: <kbd>Ctrl</kbd> + <kbd>Left</kbd>
 * Next track: <kbd>Ctrl</kbd> + <kbd>Right</kbd>
 
+## Security considerations
+_Wt_ (the web framework used) has some [built-in security measures](https://www.webtoolkit.eu/wt/features#security), but _LMS_ also has some too:
+* to mitigate brute force login attempts, _LMS_ uses an internal login throttler based on the client IP address. The `Client-IP` or `X-Forwarded-For` headers are used to determined the real IP adress, so make sure to properly configure your reverse proxy to filter or even erase the values (see example in [INSTALL.md](INSTALL.md)).
+* all passwords are stored hashed and salted using [bcrypt](https://fr.wikipedia.org/wiki/Bcrypt)
+* all the resources relative to the music collection (tracks, covers, etc.) are private to a session
+
+## Keyboard shortcuts
+
 ## Installation
 
 See [INSTALL.md](INSTALL.md) file.

diff --git a/src/lms/ui/explore/ReleaseCollector.cpp b/src/lms/ui/explore/ReleaseCollector.cpp
@@ -22,6 +22,7 @@
 #include <algorithm>
 
 #include "database/Release.hpp"
+#include "database/Session.hpp"
 #include "database/User.hpp"
 #include "database/TrackList.hpp"
 #include "scrobbling/IScrobbling.hpp"
@@ -79,6 +80,8 @@ namespace UserInterface
 	std::vector<Database::IdType>
 	ReleaseCollector::getAll()
 	{
+		auto transaction {LmsApp->getDbSession().createSharedTransaction()};
+
 		bool moreResults;
 		const auto releases {get(std::nullopt, moreResults)};
 

diff --git a/src/lms/ui/explore/TrackCollector.cpp b/src/lms/ui/explore/TrackCollector.cpp
@@ -21,9 +21,10 @@
 
 #include <algorithm>
 
+#include "database/Session.hpp"
 #include "database/Track.hpp"
-#include "database/User.hpp"
 #include "database/TrackList.hpp"
+#include "database/User.hpp"
 #include "scrobbling/IScrobbling.hpp"
 #include "utils/Service.hpp"
 #include "Filters.hpp"
@@ -79,6 +80,8 @@ namespace UserInterface
 	std::vector<Database::IdType>
 	TrackCollector::getAll()
 	{
+		auto transaction {LmsApp->getDbSession().createSharedTransaction()};
+
 		bool moreResults;
 		const auto releases {get(std::nullopt, moreResults)};