all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
blob dc3e272d376e3da73477d0fc93d29c466018eb42 2990 bytes (raw)
name: gnu/packages/patches/mpv-CVE-2018-6360-4.patch 	 # note: path name is non-authoritative(*)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

 
Fix CVE-2018-6360:

https://github.com/mpv-player/mpv/issues/5456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
https://security-tracker.debian.org/tracker/CVE-2018-6360

Patch copied from upstream source repository:

https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454105c828

From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001
From: Ricardo Constantino <wiiaboo@gmail.com>
Date: Fri, 26 Jan 2018 18:54:17 +0000
Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls

---
 player/lua/ytdl_hook.lua | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
index 458c94af38..6c8e78657d 100644
--- a/player/lua/ytdl_hook.lua
+++ b/player/lua/ytdl_hook.lua
@@ -264,18 +264,17 @@ local function add_single_video(json)
             edl_track = edl_track_joined(track.fragments,
                 track.protocol, json.is_live,
                 track.fragment_base_url)
-            local url = edl_track or track.url
-            if not url_is_safe(url) then
+            if not edl_track and not url_is_safe(track.url) then
                 return
             end
             if track.acodec and track.acodec ~= "none" then
                 -- audio track
                 mp.commandv("audio-add",
-                    url, "auto",
+                    edl_track or track.url, "auto",
                     track.format_note or "")
             elseif track.vcodec and track.vcodec ~= "none" then
                 -- video track
-                streamurl = url
+                streamurl = edl_track or track.url
             end
         end
 
@@ -284,6 +283,9 @@ local function add_single_video(json)
         edl_track = edl_track_joined(json.fragments, json.protocol,
             json.is_live, json.fragment_base_url)
 
+        if not edl_track and not url_is_safe(json.url) then
+            return
+        end
         -- normal video or single track
         streamurl = edl_track or json.url
         set_http_headers(json.http_headers)
@@ -294,13 +296,7 @@ local function add_single_video(json)
 
     msg.debug("streamurl: " .. streamurl)
 
-    streamurl = streamurl:gsub("^data:", "data://", 1)
-
-    if not url_is_safe(streamurl) then
-        return
-    end
-
-    mp.set_property("stream-open-filename", streamurl)
+    mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))
 
     mp.set_property("file-local-options/force-media-title", json.title)
 
@@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()
 
                 msg.debug("EDL: " .. playlist)
 
+                if not playlist then
+                    return
+                end
+
                 -- can't change the http headers for each entry, so use the 1st
                 if json.entries[1] then
                     set_http_headers(json.entries[1].http_headers)
-- 
2.16.1


debug log:

solving dc3e272d3 ...
found dc3e272d3 in https://git.savannah.gnu.org/cgit/guix.git

(*) Git path names are given by the tree(s) the blob belongs to.
    Blobs themselves have no identifier aside from the hash of its contents.^
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.