[GH-ISSUE #387] username and password are eval'd by shell

kerem commented

2026-02-27 19:29:39 +03:00

Owner

Originally created by @skyegecko on GitHub (Oct 19, 2019).
Original GitHub issue: https://github.com/librespot-org/librespot/issues/387

Hi,

This was a bit of a hunt to get pinned down, so let me explain:

Environment: Libreelec 9.1.501 (RPi2.arm)
Librespot version: 9.1.901.117

librespot was failing to start, with journalctl giving the error:

/storage/.kodi/addons/service.librespot/bin/librespot.start: eval: line 1: syntax error: unexpected ")"

Inspecting the named script showed no obvious problems, but upon running the file manually I received the same message.

By commenting out all the lines, then adding them back in one by one, the problem appears to be on the second real line of code:

oe_setup_addon service.librespot

I looked for oe_setup_addon and found that it was a function, defined in /etc/profile.d/00-addons.conf:

oe_setup_addon() {
  if [ ! -z $1 ] ; then
    DEF="/storage/.kodi/addons/$1/settings-default.xml"
    CUR="/storage/.kodi/userdata/addon_data/$1/settings.xml"

    # export some useful variables
    ADDON_DIR="$HOME/.kodi/addons/$1"
    ADDON_HOME="$HOME/.kodi/userdata/addon_data/$1"
    ADDON_LOG_FILE="$ADDON_HOME/service.log"

    [ ! -d $ADDON_HOME ] && mkdir -p $ADDON_HOME

    # copy defaults
    if [ -f "$DEF" -a ! -f "$CUR" ] ; then
      cp "$DEF" "$CUR"
    fi

    # parse config
    for xml_file in "$DEF" "$CUR"; do
      if [ -f "$xml_file" ]; then
        XML_SETTINGS_VER="$(xmlstarlet sel -t -m settings -v @version $xml_file)"
        if [ "$XML_SETTINGS_VER" = "2" ]; then
          eval $(xmlstarlet sel -t -m settings/setting -v @id -o "=\"" -v . -o "\"" -n "$xml_file")
        else
          eval $(xmlstarlet sel -t -m settings -m setting -v @id -o "=\"" -v @value -o "\"" -n "$xml_file")
        fi
      fi
    done
  fi
}

By adding set -x to the librespot.start script, I managed to read that the following was being executed in this function (XML_SETTINGS_VER is 2 so this is the first eval in the function):

+ eval 'ls_a="false"' 'ls_b="320"' 'ls_D="true"' 'ls_m="ALSA"' 'ls_o="sysdefault:CARD=ALSA"' 'ls_p="[...]&gt;[...]")[...]"' 'ls_u="dutch_gecko"' 'pcm_3="1"'

The ls_p variable has been redacted as it contains my spotify password. As you can see however, things have gotten weird: an angle bracket has become > and a " quote mark has gone in unescaped. This caused the following character in the password, a parenthesis, to be eval'd, which caused the error.

Since I don't require the login support any more (I had it enabled some time ago) I can erase the password from my settings. However, it seems sensible to have both username and password sanitized before being stored in settings.xml since they are being eval'd (as root!) on the command line.

Thanks!

Originally created by @skyegecko on GitHub (Oct 19, 2019). Original GitHub issue: https://github.com/librespot-org/librespot/issues/387 Hi, This was a bit of a hunt to get pinned down, so let me explain: * Environment: Libreelec 9.1.501 (RPi2.arm) * Librespot version: 9.1.901.117 librespot was failing to start, with journalctl giving the error: /storage/.kodi/addons/service.librespot/bin/librespot.start: eval: line 1: syntax error: unexpected ")" Inspecting the named script showed no obvious problems, but upon running the file manually I received the same message. By commenting out all the lines, then adding them back in one by one, the problem appears to be on the second real line of code: oe_setup_addon service.librespot I looked for `oe_setup_addon` and found that it was a function, defined in `/etc/profile.d/00-addons.conf`: ```sh oe_setup_addon() { if [ ! -z $1 ] ; then DEF="/storage/.kodi/addons/$1/settings-default.xml" CUR="/storage/.kodi/userdata/addon_data/$1/settings.xml" # export some useful variables ADDON_DIR="$HOME/.kodi/addons/$1" ADDON_HOME="$HOME/.kodi/userdata/addon_data/$1" ADDON_LOG_FILE="$ADDON_HOME/service.log" [ ! -d $ADDON_HOME ] && mkdir -p $ADDON_HOME # copy defaults if [ -f "$DEF" -a ! -f "$CUR" ] ; then cp "$DEF" "$CUR" fi # parse config for xml_file in "$DEF" "$CUR"; do if [ -f "$xml_file" ]; then XML_SETTINGS_VER="$(xmlstarlet sel -t -m settings -v @version $xml_file)" if [ "$XML_SETTINGS_VER" = "2" ]; then eval $(xmlstarlet sel -t -m settings/setting -v @id -o "=\"" -v . -o "\"" -n "$xml_file") else eval $(xmlstarlet sel -t -m settings -m setting -v @id -o "=\"" -v @value -o "\"" -n "$xml_file") fi fi done fi } ``` By adding `set -x` to the `librespot.start` script, I managed to read that the following was being executed in this function (`XML_SETTINGS_VER` is 2 so this is the first `eval` in the function): ```sh + eval 'ls_a="false"' 'ls_b="320"' 'ls_D="true"' 'ls_m="ALSA"' 'ls_o="sysdefault:CARD=ALSA"' 'ls_p="[...]>[...]")[...]"' 'ls_u="dutch_gecko"' 'pcm_3="1"' ``` The `ls_p` variable has been redacted as it contains my spotify password. As you can see however, things have gotten weird: an angle bracket has become `>` and a `"` quote mark has gone in unescaped. This caused the following character in the password, a parenthesis, to be eval'd, which caused the error. Since I don't require the login support any more (I had it enabled some time ago) I can erase the password from my settings. However, it seems sensible to have both username and password sanitized before being stored in `settings.xml` since they are being eval'd (as root!) on the command line. Thanks!

kerem closed this issue

2026-02-27 19:29:39 +03:00

kerem commented

2026-02-27 19:29:39 +03:00

Author

Owner

@skyegecko commented on GitHub (Oct 19, 2019):

This bug has also been posted on the Libreelec bug reports forum as it could be considered a general issue with Libreelec. Thread is here but may not be available until it has been authorized by a moderator.

@skyegecko commented on GitHub (Oct 19, 2019): This bug has also been posted on the Libreelec bug reports forum as it could be considered a general issue with Libreelec. [Thread is here](https://forum.libreelec.tv/thread/20620-oe-setup-addon-will-potentially-eval-user-input/) but may not be available until it has been authorized by a moderator.

kerem commented

2026-02-27 19:29:39 +03:00

Author

Owner

@kingosticks commented on GitHub (Oct 19, 2019):

Sorry, I don't understand, how is this an issue with librespot?

@kingosticks commented on GitHub (Oct 19, 2019): Sorry, I don't understand, how is this an issue with librespot?

kerem commented

2026-02-27 19:29:39 +03:00

Author

Owner

@skyegecko commented on GitHub (Oct 19, 2019):

It was my understanding that this is the repo for the librespot plugin for libreelec, is this not correct?

@skyegecko commented on GitHub (Oct 19, 2019): It was my understanding that this is the repo for the librespot plugin for libreelec, is this not correct?

kerem commented

2026-02-27 19:29:39 +03:00

Author

Owner

@kingosticks commented on GitHub (Oct 20, 2019):

This is the repo for librespot, nothing to do with libreelec I'm afraid. The startup script and this settings.xml file are nothing to do with us here.

@kingosticks commented on GitHub (Oct 20, 2019): This is the repo for librespot, nothing to do with libreelec I'm afraid. The startup script and this settings.xml file are nothing to do with us here.

kerem commented

2026-02-27 19:29:39 +03:00

Author

Owner

@shanemeagher commented on GitHub (Oct 20, 2019):

This is the thread for the Librespot Addon for LibreELEC (https://forum.libreelec.tv/thread/8438-librespot-addon/) although I see awiouy who maintains the addon approved your new thread so I'm sure he'll look into it when he has a chance.

@shanemeagher commented on GitHub (Oct 20, 2019): This is the thread for the Librespot Addon for LibreELEC (https://forum.libreelec.tv/thread/8438-librespot-addon/) although I see _awiouy_ who maintains the addon approved your new thread so I'm sure he'll look into it when he has a chance.

kerem commented

2026-02-27 19:29:39 +03:00

Author

Owner

@kingosticks commented on GitHub (Oct 20, 2019):

Yes, the question seems to be:

One question, though: How is it with the audio priority? While Librespot plays music, nothing else outputs audio on LibreELEC. So lets say I start a LiveTV channel, it is kind of muted unless I stop spotify and stop the LiveTV broadcast as well and restart it afterwards. Is there something how this could be handled? Like: Play music and play the Audio from LiveTV at once, until I decide to stop spotify playback?

But actualy thats not really to do with librespot either. Handling multiple sound sources is a management job for the system, not the source. This would be fixed in alsa or pulseaudio (whatever is applicable for libreelec).

Edit : that thread is 31 pages! I take it back, I've no idea what the question is.

@kingosticks commented on GitHub (Oct 20, 2019): Yes, the question seems to be: > One question, though: How is it with the audio priority? While Librespot plays music, nothing else outputs audio on LibreELEC. So lets say I start a LiveTV channel, it is kind of muted unless I stop spotify and stop the LiveTV broadcast as well and restart it afterwards. Is there something how this could be handled? Like: Play music and play the Audio from LiveTV at once, until I decide to stop spotify playback? But actualy thats not really to do with librespot either. Handling multiple sound sources is a management job for the system, not the source. This would be fixed in alsa or pulseaudio (whatever is applicable for libreelec). Edit : that thread is 31 pages! I take it back, I've no idea what the question is.

kerem referenced this issue

2026-02-27 20:00:12 +03:00

[PR #251] [MERGED] Update protobuf #851

kerem referenced this issue

2026-02-27 20:00:13 +03:00

[PR #270] [CLOSED] Switch to protobuf-codegen-pure to remove protoc dependency #856

Rows
Columns

[GH-ISSUE #387] username and password are eval'd by shell #251