Issues on Linux and Security
button Other -->

mp3riot (formerly known as


I decided to rename into mp3riot. the reason is, that the name does not clearly indicate, for what the program is best suited for. Because the program has grown so much (and because the the name should be more attractive to get more users), a renaming seems to be a must to me.

There are some important news about mp3riot / f2htmlpl. Please see the NEWS for further details.


Mp3riot (formerly known as is a command line utility that searches recursively through directories, builds a file list (with additional file information), and generates html files, plylists, etc. The output can be controlled, links can be corrected, and more. The script is mainly desigend to create Web pages, playlists, and databases for mp3-files, but can also used for other purposes.

Read the manual for further details.

Main Features:

  • supports playlists in m3u, pls, and xml format
  • supports sql output
  • creates html pages, templates can be used
  • supports advanced grouping methods
  • supports slection by date ranges, file extensions, and by random
  • supports renaming of mp3 files using id3tag information, templates or guessing can be used
  • advanced string manipulation methods
  • and much more ...


Latest version:

Older versions of mp3riot /

For Windows-Users:

You can also download a windows executable compiled with perl2exe. Then you need not to install perl. But I have not testet the functionality of the executable in detail. So it is best to use perl and the source of mp3riot!

Windows binaries of mp3riot:


perl mp3riot [options]

  • -h, --help: Show this screen and exit
  • -k, --mkconf:Use an assistant to write a config file
  • -o, --os win/unix: Default "unix", otherwise windows
  • -Q, --sortby value: Default is NAME (the filename). You can sort the filelist by the following criteria: URLNAME, SHOWNAME, DIR, NAME, TITLE, ARTIST, ALBUM, YEAR, COMMENT, GENRE, TRACKNUM, SIZE, MODTIME, VBR, BITRATE, FREQUENCY, MINUTES, SECONDS, FIRSTCHAR
  • -n, --doublicates: Check for doublicates of files by their filename
  • -D, --md5doublicates: Check for doublicates of files by their MD5 sum
  • -V, --seekvalues <n,+-n,n>: Three values that have to be seperated by ",". This is an useful option for --md5doublicates. The first one is the offset in bytes, the second is the number of bytes to seek (and the direction), and the last value tells the program where to start from (1 means to start from the begining of a file, 2 means to start from the end of a file. So, a combination of 1000,-1128,2 tells the programm to start 1128 bytes before the file ends (id3v1 tag is 128 bytes long!) and use 1000 bytes for calculation of md5 sums.
  • -b, --dbfile file: Write database to a file for searching it
  • -m --m3u file: Write a m3u playlist file. Directory and filename or GROUPPATH for writing m3u files for groups.
  • -X --xml file: Write a xml playlist file. Directory and filename or GROUPPATH for writing xml files for groups.
  • -L --pls file: Write a pls playlist file. Directory and filename or GROUPPATH for writing pls files for groups.
  • -W, --b4s file: Write a b4s playlist file. Directory and filename or GROUPPATH for writing b4s files for groups.
  • -t, --html file: Write a html file. Directory and filename or GROUPPATH for writing html files for groups.
  • -a, --http name: Define the http address for url
  • -r, --remove: Remove id3tags (do you know what you are doing?)
  • -i, --mp3info: Use mp3/ogg info for html output
  • -e, --ext: Remove file extensions in html output
  • -f, --filesize: Use filesize for html output
  • -c, --check ext: Select files by their extension(s) (e.g. mp3). For every extension use a seperate flag!
  • -z, --skip number: Skip n elements of mount/directories/names
  • -p, --conf file: Use a config file
  • -w, --utf8 file: File with UTF-8 code for replacements in links
  • -q, --nocs: Do sorting not case sensitive
  • -j, --statfile file: Write statistics to file
  • -d, --dir directory: Define the (multiple) directory(ies) the mp3s are stored in. For every directory use a seperate flag!
  • -g, --sql file: Filename to store sql table in (only for mp3 and ogg!)
  • -y, --replace file: Name of replacement file; in the file use <string_1>=<string_2> to transform <string_1> into <string_2>; special characters like a backslash have to be preceeded by a backslash "\\" (used for directories)
  • -s, --seperate path: Write seperate html files for every character
  • -R, --rename: Renames mp3 and ogg file using their id3tag. The use of rename_template in the configfile is optional. If rename_template is not used, the program tries to create a filename like: ARTIST - ALBUM - TRACKNUMBER - TITLE by using the id3tag. It assumes, that the filenames have a similar format and tries to guess, whether the id3tag has enough information to create a better filename. Old and new filenames are stored in RENAME.bak
  • -B, --renameback: Renames files back using the file RENAME.bak
  • -T, --templatesHtml templates are used. They have to be defined in the conmfig file using the commands html_head, html_change, html_body, html_footer, html_sep_head. See the README for avalable templates!
  • -G, --groupfile file: Filename for grouping information: <groupname1>=<TYPE>=<string1>,<string2>,...
  • -P, --grouppath path: The path, where to write the html files for group
  • -O, --older number: Only files are selected, having a modification time higher than the specified days
  • -Y, --younger number: Only files are selected, having a modification time less than the specified days
  • -I, --id3tag: Use the id3 tag to get infos
  • -S, --random number: Percentage of file to select randomly (e.g. 50 to select 50% of files/every second file)
You can use nearly all commands in a config file (and it is the best to do it this way!). The syntax then changes sligthly, so that, for example, --dir changes to dir=
Additionally, in the config file it is possible to use the commands:
  • exec= param: Execute system command. This command can be used multiple times
  • rename_template=string:string with templates for renaming files by their id3tag (to be used together with --rename)
    The following rename templates are available: **TITLE**, **ARTIST**, **ALBUM**, **YEAR**, **COMMENT**, **GENRE**. **TRACKNUM**
  • html_head= string: Html code for the head
  • html_change= string: Html code if the first character between two file names change
  • html_body= string: Html code for each filename
  • html_footer= string: Html code for the foot
  • html_sep_head= string: Html code for the head seperate html files by first character
    The following html templates are available: **SUMOFFILES**, **SUMOFMEGS**, **DATE**, **URLNAME**, **SHOWNAME**, **DIR**, **NAME**, **TITLE**, **ARTIST**, **ALBUM**, **YEAR**, **COMMENT**, **GENRE**, **TRACKNUM**, **SIZE**, **MODTIME**, **VBR**, **BITRATE**, **FREQUENCY**, **MINUTES**, **SECONDS**, **HTMLINDEX**, **FIRSTCHAR**


mp3riot 1.3-20041220

  • extended grouping fuction for all playlistfiles
  • renaming of special characters for filenames og groups
  • support of b4s playlistformat
  • sorting of filelist by various criterias of id3tag, mp3 and
  • file information (e.g. ARTIST, BITRATE etc.)
  • extended output of doublicate function by diretory names
  • added FIRSTCHAR as a value for grouping

mp3riot 1.2-20041007

  • Fixed bug in sql output
  • Flexible search for doublicate files using md5 sums
  • search for doublicates by filenames seperated from search function
  • fixed bug in xml output
  • filesize in html output is now rouded
  • replaced progress bar by counter in percentage
  • added counter for collected files
  • fixed bug in index in html output
  • fixed bug in html output for grouping
  • extended grouping function by new type EQUAL
  • bugfix in pls output

mp3riot 1.1-20030728

  • Renamed into mp3riot
  • Fixed output of playlist in M3U format, so that the M3U file is now containing full information
  • Fixed bug for retreaving the TITLE of an id3tag
  • Added output of playlist in XML format
  • Added output of playlist in PLS format
  • Added random fileselection for random playlists
  • Added the tracknumber for sql output
  • Added **TRACKNUM** (tracknumber) and as a template variable for html output
  • Added TRACKNUM (tracknumber) as a variable for groupings
  • Added tracknumber and comment for db output
  • Fixed bug in renaming function when special characters are present in the id3tag
  • Added rename_template to do renaming of files using their id3tag in a flexible way
  • Fixed a bug in renameback 1.0-20030319

  • Fixed some smaller bugs
  • Rebuild the internal data structure completely
  • Removed option for fast sorting (not necessary any more)
  • Implemented selection of files by their modification time (younger and/or older than days from now)
  • Implemented grouping of files by string matching between group defninitions by various types
  • Implemented variable html-code dsefinitions and templates
  • Changed definition for string replacement
  • now comes with a new version of from MP3-Info-1.02 by Chris Nandor
  • The use of the id3tag for sql and html output is now optional
  • Manpage is not supported any more. 0.9-20030313

  • Fixed a commandline parameter bug where the parameters were handled non case sensitive. Now there are handled case sensitive. As a result the functions RENAME and RENAMEBACK did not work when called with the short command line argument.
  • Fixed a commandline parameter bug that occured with Perl 5.8.0 and Getopt::Long 2.32. The -s flag in line 1 of the perl script causes the program to count the command line parameters in an usual way, so that command line parameters got disturbed and did not work any more. 0.8-20021105

  • Some changes in the documentation.
  • New option to rename files using their id3tag.
  • New option to rename files back.
  • Some code fixes.
  • Usage of the replace option has changed. 0.7-20021016

  • Bug for the option "check" in config file and configuration wizard fixed
  • Bug for the check of the mp3 extension when mp3info was enabled fixed.
  • Bug of sum of megs in html output fixed.
  • Bug in mp3table.sql fixed.
  • Basic ogg vorbis support implemented (thanks to Jens Burkal). 0.6-20020718

  • New method (experimental) for faster sorting. Useful for indexing huge number of files or mp3 files with additional information.
  • New option for checking for dublicates of filenames.
  • Now comes wioth a new version of from MP3-Info-1.01 by Chris Nandor. 0.5-20020626

  • Fixed problem with sql data output when files contain the charakter " ' ".
  • Name of option "hex" changed to "utf8".
  • Implemeted progress bar for prepating html files.
  • More information about what the program is doing. 0.4-20011127

  • Now f2html comes with a new version of from MP3-Info-0.91 by Chris Nandor.
  • Minor Bugfixes.
  • New option to create sql database.
  • New option to create a config file. 0.3-20010628

  • Some checks and corrections for pathnames.
  • Only existing characters are written out at the top of a html file.
  • Rewrite of sum of files and sizes. Important for writing seperate html files for every character.
  • The option -q has been implemented and allows for doing the procedures in a non case sensitive way.
  • The option -j has been implemented. A html file with statistics can be written out. 0.2-20010117

  • The manual has been updated.
  • The option -c has been updated. Now this option can be used more than only one time. So one is able to select file by different extensions. 0.1-20001127

  • Initial release.

back to top

button Whats New
[2005-02-18] mp3riot version 1.3 released
[2004-10-08] mp3riot version 1.2 is out.
[2004-04-30] Added section Bridging
[2004-01-09] working progress on mp3riot version 1.2
A whole bunch of security updates for the US Thanksgiving holiday. Debianhas updated openjdk-6(?:). Fedorahas updated clamav(F19: two vulnerabilities, one from 2013) and tcpdump(F20: three vulnerabilities). Gentoohas updated squid(three vulnerabilities). Mageiahas updated asterisk(two vulnerabilities), avidemux(multiple vulnerabilities), drupal(two vulnerabilities), flash-player-plugin(code execution), glibc(code execution), icecast(information leak), libksba(denial of service), perl-Mojolicious(code execution), phpmyadmin(multiple vulnerabilities), ruby-httpclient(SSL downgrade protection), and wordpress(multiple vulnerabilities). Mandrivahas updated glibc(BS1.0: code execution), icecast(BS1.0: information leak), and kernel(BS1.0: multiple vulnerabilities). openSUSEhas updated file(13.2, 13.1, 12.3: code execution), flashplayer(11.4: code execution), rubygem-actionpack-3_2(13.2, 13.1, 12.3: two information leaks), and rubygem-sprockets(13.2; 13.1, 12.3: directory traversal). Oraclehas updated ruby(OL7; OL6: three vulnerabilities). Red Hathas updated flash-plugin(RHEL5&6: code execution), ruby(RHEL7; RHEL6: three vulnerabilities), ruby193-ruby(RHSC1: three vulnerabilities), and ruby200-ruby(RHSC1: three vulnerabilities). Ubuntuhas updated clamav(two vulnerabilities).
Thanksgiving security updates talks with Paul Ramsey, senior strategist at the open source company Boundless. "Boundless is the ?Red Hat of geospatial?, which says a bit about our business model, but doesn?t really explain our technology. GIS professionals and IT professionals (and, really, anyone with a custom mapping problem) use our tools to store their data, in a spatial SQL database (PostGIS), publish maps and data over the web (GeoServer), and view or edit data in web browsers (OpenLayers) or on the desktop (QGIS). Basically, our tools let developers build web applications that understand and can attractively visualize location. We help people take spatial data out of the GIS department and use it to improve workflows and make decisions anywhere in the organization. This is part of what we see as a move towards what we call Spatial IT, where spatial data is used to empower decision-making across an enterprise."
Mapping the world with open source (

Debianhas updated wireshark(multiple vulnerabilities). Mageiahas updated clamav(two vulnerabilities) and perl-Plack(information disclosure). Mandrivahas updated libvncserver(multiple vulnerabilities) and phpmyadmin(multiple vulnerabilities). openSUSEhas updated rubygem-sprockets-2_1(directory traversal), rubygem-sprockets-2_2(directory traversal), and wireshark(multiple vulnerabilities). Red Hathas updated RHOSE(two vulnerabilities). Ubuntuhas updated squid3(14.10, 14.04: denial of service).
Security advisories for Wednesday

CentOShas updated libXfont(C5: multiple vulnerabilities). Fedorahas updated kde-runtime(F20: code execution) and moodle(F20: multiple vulnerabilities). Mageiahas updated chromium-browser-stable(multiple vulnerabilities) and graphicsmagick(denial of service). Mandrivahas updated ffmpeg(multiple vulnerabilities), imagemagick(multiple vulnerabilities), and ruby(multiple vulnerabilities). openSUSEhas updated ImageMagick(13.2, 13.1, 12.3: denial of service) and zeromq(13.2: man-in-the-middle attack). Oraclehas updated libXfont(OL5: multiple vulnerabilities). Red Hathas updated chromium-browser(RHEL6: multiple vulnerabilities) and libXfont(RHEL5: multiple vulnerabilities). Scientific Linuxhas updated libXfont(SL5: multiple vulnerabilities). SUSEhas updated firefox(SLES10 SP4: multiple vulnerabilities). Ubuntuhas updated EC2 kernel(10.04: two vulnerabilities), kde-runtime(12.04: code execution), kernel(10.04; 12.04; 14.04; 14.10: multiple vulnerabilities), linux-lts-trusty(12.04: multiple vulnerabilities), and linux-ti-omap4(12.04: multiple vulnerabilities).
Tuesday's security updates

As of the 3.18-rc6release, 11,186 non-merge changesets have been pulled into the mainline repository for the 3.18 development cycle. That makes this release about 1,000 changesets smaller than its immediate predecessors, but still not a slow development cycle by any means. Since this cycle is getting close to its end, it's a good time to look at where the code that came into the mainline during this cycle came from.
[$] Some 3.18 development statistics

Ars Technica reportson a recently discovered bug in WordPress 3 sites that could be used to launch malicious script-based attacks on site visitors? browsers. "The vulnerability, discovered by Jouko Pynnonen of Klikki Oy, allows an attacker to craft a comment on a blog post that includes malicious JavaScript code. On sites that allow comments without authentication?the default setting for WordPress?this could allow anyone to post malicious scripts within comments that could target site visitors or administrators. A proof of concept attack developed by Klikki Oy was able to hijack a WordPress site administrator?s session and create a new WordPress administrative account with a known password, change the current administrative password, and launch malicious PHP code on the server. That means an attacker could essentially lock the existing site administrator out and hijack the WordPress installation for malicious purposes."WordPress 4.0 is not vulnerable to the attack.
Four-year-old comment security bug affects 86 percent of WordPress sites (Ars Technica)

Fedorahas updated clamav(F20: denial of service), facter(F20: privilege escalation), libreoffice(F20: code execution), libvirt(F20: multiple vulnerabilities), libxml2(F19: denial of service), owncloud(F19: security restriction bypass), php-sabredav-Sabre_CalDAV(F19: security restriction bypass), php-sabredav-Sabre_CardDAV(F19: security restriction bypass), php-sabredav-Sabre_DAV(F19: security restriction bypass), php-sabredav-Sabre_DAVACL(F19: security restriction bypass), php-sabredav-Sabre_HTTP(F19: security restriction bypass), php-sabredav-Sabre_VObject(F19: security restriction bypass), polarssl(F20; F19: two vulnerabilities), python(F19: script execution), python-pillow(F20; F19: multiple vulnerabilities), and wget(F20: symlink attack). Gentoohas updated aircrack-ng(multiple vulnerabilities), ansible(code execution), asterisk(multiple vulnerabilities), and openswan(denial of service). Mageiahas updated imagemagick(multiple vulnerabilities), moodle(multiple vulnerabilities), and polarssl(two vulnerabilities). Mandrivahas updated krb5(ticket forgery), libvirt(information disclosure), php-smarty(two vulnerabilities), qemu(multiple vulnerabilities), srtp(denial of service), and wireshark(multiple vulnerabilities). openSUSEhas updated openssl(TLS handshake problem). SUSEhas updated firefox(SLES11 SP2: multiple vulnerabilities).
Security advisories for Monday

The 3.18-rc6prepatch is out, right on schedule. Linus says: "Steady progress towards final release, although we still have a big unknown worry in a regression that Dave Jones reported and that we haven't solved yet. In the process of chasing that one down, there's been a fair amount of looking at various low-level details, and that found some dubious issues, but no smoking gun yet."
Kernel prepatch 3.18-rc6

MusicBrainz, the not-for-profit project that maintains an assortment of "open content"music metadata databases, has announceda new effort named AcousticBrainz. AcousticBrainz is designed to be an open, crowd-sourced database cataloging various "audio features"of music, including "low-level spectral information such as tempo, and additional high level descriptors for genres, moods, keys, scales and much more."The data collected is more comprehensive than MusicBrainz's existing AcoustIDdatabase, which deals only with acoustic fingerprinting for song recognition. The new project is a partnership with the Music Technology Group at Universitat Pompeu Fabra, and uses that group's free-software toolkit Essentiato perform its acoustic analyses. A follow-up postdigs into the AcousticBrainz analysis of the project's initial 650,000-track data set, including examinations of genre, mood, key, and other factors.
Introducing AcousticBrainz

Greg Kroah-Hartman has released three new stable kernels: 3.10.61, 3.14.25, and 3.17.4, each containing important updates and fixes.
A Friday kernel collection

The second version of the kdbus patches have been postedto the Linux kernel mailing list by Greg Kroah-Hartman. The biggest change since the original patch set (which we looked atin early November) is that kdbus now provides a filesystem-based interface (kdbusfs) rather than the /dev/kdbusdevice-based interface. There are lots of other changes in response to v1 review comments as well. "kdbus is a kernel-level IPC implementation that aims for resemblance to [the] protocol layer with the existing userspace D-Bus daemon while enabling some features that couldn't be implemented before in userspace."
Version 2 of the kdbus patches posted

CentOShas updated libxml2(C5: denial of service). Debianhas updated drupal7(multiple vulnerabilities). Fedorahas updated kernel(F20: multiple vulnerabilities). Gentoohas updated adobe-flash(multiple vulnerabilities). Mageiahas updated boinc-client(denial of service), ffmpeg(M3; M4: multiple vulnerabilities), hawtjni(M3: code execution), kdebase4-runtime, kwebkitpart(code execution), kdebase4-workspace(M4: privilege escalation), kdenetwork4(M3: multiple vulnerabilities), kernel(M3; M4: multiple vulnerabilities), kernel-vserver(M3: multiple vulnerabilities), krb5(ticket forgery), libvirt(information disclosure), php-smarty(M3; M4: code execution), privoxy(denial of service), python-djblets(M4: multiple vulnerabilities), python-imaging, python-pillow(multiple vulnerabilities), qemu(M4: multiple vulnerabilities), ruby(multiple vulnerabilities), srtp(M3: denial of service), and wireshark(multiple vulnerabilities). Mandrivahas updated asterisk(BS1: multiple vulnerabilities). openSUSEhas updated gnutls(multiple vulnerabilities) and libvirt(password leak). Oraclehas updated bash(O5; O6; O7: multiple vulnerabilities), libvirt(O6: multiple vulnerabilities), libXfont(O6; O7: multiple vulnerabilities), libxml2(O5: denial of service), mariadb(O7: multiple vulnerabilities), and mysql55-mysql(O5: multiple vulnerabilities). Red Hathas updated java-1.5.0-ibm(RHEL5,6: multiple vulnerabilities), java-1.7.0-ibm(RHEL6: multiple vulnerabilities), java-1.7.1-ibm(RHEL6,7: multiple vulnerabilities), and libxml2(RHEL5: denial of service). Scientific Linuxhas updated libxml2(SL5: denial of service). Ubuntuhas updated apparmor(14.04: privilege escalation) and ruby1.8, ruby1.9.1, ruby2.0, ruby2.1(12.04, 14.04, 14.10: denial of service).
Friday's security updates

On his blog, Paul McKenney investigates a bugin read-copy update (RCU) in preparation for the 3.19 merge window. "Of course, we all have specific patches that we are suspicious of. So my next step was to revert suspect patches and to otherwise attempt to outguess the bug. Unfortunately, I quickly learned that the bug is difficult to reproduce, requiring something like 100 hours of focused rcutorture testing. Bisection based on 100-hour tests would have consumed the remainder of 2014 and a significant fraction of 2015, so something better was required. In fact, something waybetter was required because there was only a very small number of failures, which meant that the expected test time to reproduce the bug might well have been 200 hours or even 300 hours instead of my best guess of 100 hours."
McKenney: Stupid RCU Tricks: rcutorture Catches an RCU Bug

Mandrivahas updated clamav(BS1.0: denial of service from 2013) and php-ZendFramework(BS1.0: authentication bypass). openSUSEhas updated emacs(13.1: multiple vulnerabilities). Red Hathas updated java-1.6.0-ibm(RHEL5&6: multiple vulnerabilities) and java-1.7.0-ibm(RHEL5: multiple vulnerabilities). SUSEhas updated firefox(SLE11SP3: multiple vulnerabilities). Ubuntuhas updated oxide-qt(14.10, 14.04: multiple vulnerabilities).
Security advisories for Thursday

The Weekly Edition for November 20, 2014 is available.
[$] Weekly Edition for November 20, 2014

Mozilla Network Security Services CVE-2014-1568 Security Bypass Vulnerability
Vuln: Mozilla Network Security Services CVE-2014-1568 Security Bypass Vulnerability

Arris VAP2500 CVE-2014-8423 Remote Code Execution Vulnerability
Vuln: Arris VAP2500 CVE-2014-8423 Remote Code Execution Vulnerability

Plack::App::File Information Disclosure Vulnerability
Vuln: Plack::App::File Information Disclosure Vulnerability

Aircrack-ng 'network.c' Denial of Service Vulnerability
Vuln: Aircrack-ng 'network.c' Denial of Service Vulnerability

Defense in depth -- the Microsoft way (part 22): no DEP in Windows' filesystem (and ASLR barely used)
Bugtraq: Defense in depth -- the Microsoft way (part 22): no DEP in Windows' filesystem (and ASLR barely used)

[security bulletin] HPSBGN03209 rev.1 - HP Application Lifecycle Management running SSLv3, Remote Disclosure of Information
Bugtraq: [security bulletin] HPSBGN03209 rev.1 - HP Application Lifecycle Management running SSLv3, Remote Disclosure of Information

[ MDVSA-2014:233 ] wordpress
Bugtraq: [ MDVSA-2014:233 ] wordpress

[SECURITY] [DSA 3078-1] libksba security update
Bugtraq: [SECURITY] [DSA 3078-1] libksba security update

News, Infocus, Columns, Vulnerabilities, Bugtraq ...
More rss feeds from SecurityFocus