Drupal, getid3 and Debian

GetID3 is a php library that reads MP3 files and extract information about the artist, song, etc. It’s used by the Audio file when uploading an image to automatically fill in the artist name and song information.

Last month, due to a Drupal Security Advisory we removed the getid3 library directory from all the audio modules installed on our systems. The maintainer of the audio module included the getid3 library in the audio module itself. In addition the maintainer included the entire tar ball of the getid3 library, including sample scripts. Drupal released an advisory because someone figure out how to manipulate drupal into doing things with the included sample scripts. So - my sledge hammer approach was to remove all the getid3 library folders from all the audio modules on our system.

Now fortunately, the audio module maintainer included a drupal variable where you can say the path to your own getid3 library. It’s in:

Admin -> Settings -> Audio -> GetID3

So, for Chavez, we installed the Debian package for php-getid3. If you’re primary host is chavez.mayfirst.org, then you should set this directory as:

/usr/share/php-getid3

Viewsic, however, does not have php-getid3 (since viewsic is running the sarge version of Debian and Chavez is running the etch version). So if you’re primary host is viewsic.mayfirst.org, you should use:

/usr/local/share/php-getid3