From debbugs-submit-bounces@debbugs.gnu.org Thu Feb 08 01:57:50 2018 Received: (at 30378) by debbugs.gnu.org; 8 Feb 2018 06:57:50 +0000 Received: from localhost ([127.0.0.1]:33688 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ejg9M-0006QA-PG for submit@debbugs.gnu.org; Thu, 08 Feb 2018 01:57:50 -0500 Received: from mail-pf0-f179.google.com ([209.85.192.179]:44647) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ejg9H-0006Pv-4Q for 30378@debbugs.gnu.org; Thu, 08 Feb 2018 01:57:39 -0500 Received: by mail-pf0-f179.google.com with SMTP id 17so1404009pfw.11 for <30378@debbugs.gnu.org>; Wed, 07 Feb 2018 22:57:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=KYQGSLIoGqr98536tq0bVS2H0hbCB7wd9JIr81tX4H4=; b=KBYaLeXu4QdQ1+9FHv6CPo2ocMrtRw/9SAi5swKgiwvrwIBv/fNWreNYnFcRZUP2Bh NlOkj7CLUIvLmicb/UelAzXpl9kJS01tanoOGjb9coky4yff0AV65+UnhQ2nMx0XTYpH 3x7usFCWvCCSum5wvZfYSOYOpSWM75kfaBhUkLRv0WltFvqxhf+BziSPNjBkkreLHI7T JH7TKGh9gtudMY0TV1Je9mrtB0Kc8lLJMYC5d2YZqZwXx9jL+Pc1+d9k+59ztZQiLdZL EoPTicB2TAkkqOMpCxwbER+lMR6sr4PIDGu/9fY1VvKyKCGNUgvlewKA2pziSzL1MiNz mCpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=KYQGSLIoGqr98536tq0bVS2H0hbCB7wd9JIr81tX4H4=; b=K+/SYBfRAmpAawd6feuxBov8HvBhgeW1gE0xN490OWswVWV8qC5taIH3eNtSDmYQzP Tu7xbxaLFhEn4XAjYqWND9H9sXSdF3VL1noWb86YPPJ+zaOFQW4FK95qjKKj+bh/ZYCf IjWhXst5juJY9gaX5oApeXwojH5lVuRtQXrqiRyxheSSpZhTJRvinlSEPXZZ+cdfTusB 0PijT5czXbeUCDlYzk8x/R7sRVNPz51TMhzncue0XSrC+CuU54sllPoBtJyuWj00aLUu QdIfIbIuWfdFrj6CL1P4gW63SpJ2uCJPsv5mA5OhEYxBvRKoHg7WJcQCe6HUI/CM1mZd H50w== X-Gm-Message-State: APf1xPD5TjKJLwfHIQ7E5gc3w8F258fJ4FRrVlhH8J7HGmNsrO6IpsSW N69prHulkwIl7FG9u58J+6c= X-Google-Smtp-Source: AH8x224vORgtG9BOz60ANhgGn8XkBCvPT9/hi3EZ+NGqZ8A7EdFngdNyOneaPX8sjRu0dRoz5I0x8w== X-Received: by 10.101.92.77 with SMTP id v13mr7173770pgr.341.1518073049160; Wed, 07 Feb 2018 22:57:29 -0800 (PST) Received: from debian (ip-137-189-240-158.wlan.cuhk.edu.hk. [137.189.240.158]) by smtp.gmail.com with ESMTPSA id y9sm4163896pfl.9.2018.02.07.22.57.27 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 07 Feb 2018 22:57:28 -0800 (PST) From: Alex Vong To: Leo Famulari Subject: Re: [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360. References: <87tvuts33b.fsf@gmail.com> <20180208024417.GB16980@jasmine.lan> Date: Thu, 08 Feb 2018 13:53:52 +0800 In-Reply-To: <20180208024417.GB16980@jasmine.lan> (Leo Famulari's message of "Wed, 7 Feb 2018 21:44:17 -0500") Message-ID: <87mv0kqb67.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 30378 Cc: 30378@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) --=-=-= Content-Type: text/plain Leo Famulari writes: > On Wed, Feb 07, 2018 at 02:53:12PM +0800, Alex Vong wrote: >> Tags: security >> >> Hello, >> >> This patch fixes CVE-2018-6360, which is about mpv maybe get tricked >> into playing unsafe url returned by youtube-dl. > >> From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001 >> From: Alex Vong >> Date: Wed, 7 Feb 2018 14:39:40 +0800 >> Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360. >> >> * gnu/packages/patches/mpv-CVE-2018-6360-1.patch, >> gnu/packages/patches/mpv-CVE-2018-6360-2.patch, >> gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files. >> * gnu/local.mk (dist_patch_DATA): Add them. >> * gnu/packages/video.scm (mpv)[source]: Use them. > > Thank you very much for putting this patch together! > :-) > I noticed that the person who fixed the bug upstream said that 4 commits > were needed [0], but this patch (and Debian's and Nix's) are missing the > first in that person's list, 828bd2963cd10. > > I'm going to ask upstream to clarify but, in the meantime, do you know > why this patch is not included? > I have no idea about this. I think we should wait for the author to tell us what they think. Here is a new patch with the 4 commits: --=-=-= Content-Type: text/x-diff; charset=utf-8 Content-Disposition: inline; filename=0001-gnu-mpv-Fix-CVE-2018-6360.patch Content-Transfer-Encoding: quoted-printable From 6891f7c24fdd90953454c8fdf68baade394eb9ba Mon Sep 17 00:00:00 2001 From: Alex Vong Date: Wed, 7 Feb 2018 14:39:40 +0800 Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360. * gnu/packages/patches/mpv-CVE-2018-6360-1.patch, gnu/packages/patches/mpv-CVE-2018-6360-2.patch, gnu/packages/patches/mpv-CVE-2018-6360-3.patch, gnu/packages/patches/mpv-CVE-2018-6360-4.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/video.scm (mpv)[source]: Use them. --- gnu/local.mk | 6 +- gnu/packages/patches/mpv-CVE-2018-6360-1.patch | 133 +++++++++++++++++++++= +++ gnu/packages/patches/mpv-CVE-2018-6360-2.patch | 138 +++++++++++++++++++++= ++++ gnu/packages/patches/mpv-CVE-2018-6360-3.patch | 59 +++++++++++ gnu/packages/patches/mpv-CVE-2018-6360-4.patch | 84 +++++++++++++++ gnu/packages/video.scm | 6 +- 6 files changed, 424 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-1.patch create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-2.patch create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-3.patch create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-4.patch diff --git a/gnu/local.mk b/gnu/local.mk index 3f0023a2f..b0b4ca482 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -9,7 +9,7 @@ # Copyright =C2=A9 2016 Adonay "adfeno" Felipe Nogueira # Copyright =C2=A9 2016, 2017 Ricardo Wurmus # Copyright =C2=A9 2016 Ben Woodcroft -# Copyright =C2=A9 2016, 2017 Alex Vong +# Copyright =C2=A9 2016, 2017, 2018 Alex Vong # Copyright =C2=A9 2016, 2017 Efraim Flashner # Copyright =C2=A9 2016, 2017 Jan Nieuwenhuizen # Copyright =C2=A9 2017 Tobias Geerinckx-Rice @@ -910,6 +910,10 @@ dist_patch_DATA =3D \ %D%/packages/patches/mhash-keygen-test-segfault.patch \ %D%/packages/patches/mingw-w64-5.0rc2-gcc-4.9.3.patch \ %D%/packages/patches/mpc123-initialize-ao.patch \ + %D%/packages/patches/mpv-CVE-2018-6360-1.patch \ + %D%/packages/patches/mpv-CVE-2018-6360-2.patch \ + %D%/packages/patches/mpv-CVE-2018-6360-3.patch \ + %D%/packages/patches/mpv-CVE-2018-6360-4.patch \ %D%/packages/patches/module-init-tools-moduledir.patch \ %D%/packages/patches/mongodb-support-unknown-linux-distributions.patch \ %D%/packages/patches/mozjs17-aarch64-support.patch \ diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch b/gnu/packages/= patches/mpv-CVE-2018-6360-1.patch new file mode 100644 index 000000000..4d48da667 --- /dev/null +++ b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch @@ -0,0 +1,133 @@ +Fix CVE-2018-6360: + +https://github.com/mpv-player/mpv/issues/5456 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-6360 +https://security-tracker.debian.org/tracker/CVE-2018-6360 + +Patch copied from upstream source repository: + +https://github.com/mpv-player/mpv/commit/828bd2963cd10a851e0a977809687aed4= d377dc3 + +From 828bd2963cd10a851e0a977809687aed4d377dc3 Mon Sep 17 00:00:00 2001 +From: Ricardo Constantino +Date: Tue, 2 Jan 2018 20:46:58 +0000 +Subject: [PATCH] command: add demuxer-lavf-list property + +Was only available with --demuxer-lavf-format=3Dhelp and the demuxer +needed to be used for it to actually print the list. + +This can be used in the future to check if 'dash' support was compiled +with FFmpeg so ytdl_hook can use it instead. For now, dashdec is too +rudimentary to be used right away. +--- + DOCS/man/input.rst | 4 ++++ + common/av_common.c | 17 +++++++++++++++++ + common/av_common.h | 1 + + player/command.c | 15 +++++++++++++++ + 4 files changed, 37 insertions(+) + +diff --git a/DOCS/man/input.rst b/DOCS/man/input.rst +index 16d8ecb45d..0ae4a0c0c8 100644 +--- a/DOCS/man/input.rst ++++ b/DOCS/man/input.rst +@@ -2119,6 +2119,10 @@ Property list + The encoder names (``driver`` entries) can be passed to ``--ovc`` and + ``--oac`` (without the ``lavc:`` prefix required by ``--vd`` and ``--= ad``). +=20 ++``demuxer-lavf-list`` ++ List of available libavformat demuxers' names. This can be used to ch= eck ++ for support for a specific format or use with ``--demuxer-lavf-format= ``. ++ + ``mpv-version`` + Return the mpv version/copyright string. Depending on how the binary = was + built, it might contain either a release version, or just a git hash. +diff --git a/common/av_common.c b/common/av_common.c +index 65a212b994..0599d98465 100644 +--- a/common/av_common.c ++++ b/common/av_common.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include +=20 + #include "config.h" +=20 +@@ -33,6 +34,7 @@ + #include "common/msg.h" + #include "demux/packet.h" + #include "demux/stheader.h" ++#include "misc/bstr.h" + #include "video/fmt-conversion.h" + #include "av_common.h" + #include "codecs.h" +@@ -246,6 +248,21 @@ void mp_add_lavc_encoders(struct mp_decoder_list *lis= t) + } + } +=20 ++char **mp_get_lavf_demuxers(void) ++{ ++ char **list =3D NULL; ++ AVInputFormat *cur =3D NULL; ++ int num =3D 0; ++ for (;;) { ++ cur =3D av_iformat_next(cur); ++ if (!cur) ++ break; ++ MP_TARRAY_APPEND(NULL, list, num, talloc_strdup(NULL, cur->name)); ++ } ++ MP_TARRAY_APPEND(NULL, list, num, NULL); ++ return list; ++} ++ + int mp_codec_to_av_codec_id(const char *codec) + { + int id =3D AV_CODEC_ID_NONE; +diff --git a/common/av_common.h b/common/av_common.h +index 6d0c823b8d..0e7c838884 100644 +--- a/common/av_common.h ++++ b/common/av_common.h +@@ -41,6 +41,7 @@ double mp_pts_from_av(int64_t av_pts, AVRational *tb); + void mp_set_avcodec_threads(struct mp_log *l, AVCodecContext *avctx, int = threads); + void mp_add_lavc_decoders(struct mp_decoder_list *list, enum AVMediaType = type); + void mp_add_lavc_encoders(struct mp_decoder_list *list); ++char **mp_get_lavf_demuxers(void); + int mp_codec_to_av_codec_id(const char *codec); + const char *mp_codec_from_av_codec_id(int codec_id); + void mp_set_avdict(struct AVDictionary **dict, char **kv); +diff --git a/player/command.c b/player/command.c +index 6f2c15b047..412afc5e11 100644 +--- a/player/command.c ++++ b/player/command.c +@@ -3588,6 +3588,20 @@ static int mp_property_encoders(void *ctx, struct m= _property *prop, + return r; + } +=20 ++static int mp_property_lavf_demuxers(void *ctx, struct m_property *prop, ++ int action, void *arg) ++{ ++ switch (action) { ++ case M_PROPERTY_GET: ++ *(char ***)arg =3D mp_get_lavf_demuxers(); ++ return M_PROPERTY_OK; ++ case M_PROPERTY_GET_TYPE: ++ *(struct m_option *)arg =3D (struct m_option){.type =3D CONF_TYPE= _STRING_LIST}; ++ return M_PROPERTY_OK; ++ } ++ return M_PROPERTY_NOT_IMPLEMENTED; ++} ++ + static int mp_property_version(void *ctx, struct m_property *prop, + int action, void *arg) + { +@@ -4027,6 +4041,7 @@ static const struct m_property mp_properties_base[] = =3D { + {"protocol-list", mp_property_protocols}, + {"decoder-list", mp_property_decoders}, + {"encoder-list", mp_property_encoders}, ++ {"demuxer-lavf-list", mp_property_lavf_demuxers}, +=20 + {"mpv-version", mp_property_version}, + {"mpv-configuration", mp_property_configuration}, +--=20 +2.16.1 + diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch b/gnu/packages/= patches/mpv-CVE-2018-6360-2.patch new file mode 100644 index 000000000..55fc7daaf --- /dev/null +++ b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch @@ -0,0 +1,138 @@ +Fix CVE-2018-6360: + +https://github.com/mpv-player/mpv/issues/5456 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-6360 +https://security-tracker.debian.org/tracker/CVE-2018-6360 + +Patch copied from upstream source repository: + +https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fc= fcaff43 + +To apply the patch to mpv 0.28.0 release tarball, hunk #4 is removed. Hunk= #4 +checks if 'mpd_url' is safe, but the support for 'mpd_url' is not available +for the 0.28.0 release. So it should be safe to remove hunk #4. + +From e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 Mon Sep 17 00:00:00 2001 +From: Ricardo Constantino +Date: Fri, 26 Jan 2018 01:19:04 +0000 +Subject: [PATCH] ytdl_hook: whitelist protocols from urls retrieved from + youtube-dl + +Not very clean since there's a lot of potential unsafe urls that youtube-dl +can give us, depending on whether it's a single url, split tracks, +playlists, segmented dash, etc. +--- + player/lua/ytdl_hook.lua | 54 +++++++++++++++++++++++++++++++++++++++++--= ----- + 1 file changed, 47 insertions(+), 7 deletions(-) + +diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua +index dd96ecc01d..b480c21625 100644 +--- a/player/lua/ytdl_hook.lua ++++ b/player/lua/ytdl_hook.lua +@@ -16,6 +16,18 @@ local ytdl =3D { +=20 + local chapter_list =3D {} +=20 ++function Set (t) ++ local set =3D {} ++ for _, v in pairs(t) do set[v] =3D true end ++ return set ++end ++ ++local safe_protos =3D Set { ++ "http", "https", "ftp", "ftps", ++ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte", ++ "data" ++} ++ + local function exec(args) + local ret =3D utils.subprocess({args =3D args}) + return ret.status, ret.stdout, ret +@@ -183,6 +195,9 @@ local function edl_track_joined(fragments, protocol, i= s_live, base) +=20 + for i =3D offset, #fragments do + local fragment =3D fragments[i] ++ if not url_is_safe(join_url(base, fragment)) then ++ return nil ++ end + table.insert(parts, edl_escape(join_url(base, fragment))) + if fragment.duration then + parts[#parts] =3D +@@ -208,6 +223,15 @@ local function proto_is_dash(json) + or json["protocol"] =3D=3D "http_dash_segments" + end +=20 ++local function url_is_safe(url) ++ local proto =3D type(url) =3D=3D "string" and url:match("^(.+)://") o= r nil ++ local safe =3D proto and safe_protos[proto] ++ if not safe then ++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) ++ end ++ return safe ++end ++ + local function add_single_video(json) + local streamurl =3D "" + local max_bitrate =3D 0 +@@ -238,14 +264,18 @@ local function add_single_video(json) + edl_track =3D edl_track_joined(track.fragments, + track.protocol, json.is_live, + track.fragment_base_url) ++ local url =3D edl_track or track.url ++ if not url_is_safe(url) then ++ return ++ end + if track.acodec and track.acodec ~=3D "none" then + -- audio track + mp.commandv("audio-add", +- edl_track or track.url, "auto", ++ url, "auto", + track.format_note or "") + elseif track.vcodec and track.vcodec ~=3D "none" then + -- video track +- streamurl =3D edl_track or track.url ++ streamurl =3D url + end + end +=20 +@@ -264,7 +294,13 @@ local function add_single_video(json) +=20 + msg.debug("streamurl: " .. streamurl) +=20 +- mp.set_property("stream-open-filename", streamurl:gsub("^data:", "dat= a://", 1)) ++ streamurl =3D streamurl:gsub("^data:", "data://", 1) ++ ++ if not url_is_safe(streamurl) then ++ return ++ end ++ ++ mp.set_property("stream-open-filename", streamurl) +=20 + mp.set_property("file-local-options/force-media-title", json.title) +=20 +@@ -526,14 +562,18 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_lo= ad_fail", 10, function () + site =3D entry["webpage_url"] + end +=20 +- if not (site:find("https?://") =3D=3D 1) then +- site =3D "ytdl://" .. site ++ -- links with only youtube id as returned by --flat-p= laylist ++ if not site:find("://") then ++ table.insert(playlist, "ytdl://" .. site) ++ elseif url_is_safe(site) then ++ table.insert(playlist, site) + end +- table.insert(playlist, site) +=20 + end +=20 +- mp.set_property("stream-open-filename", "memory://" .. ta= ble.concat(playlist, "\n")) ++ if #playlist > 0 then ++ mp.set_property("stream-open-filename", "memory://" .= . table.concat(playlist, "\n")) ++ end + end +=20 + else -- probably a video +--=20 +2.16.1 + diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch b/gnu/packages/= patches/mpv-CVE-2018-6360-3.patch new file mode 100644 index 000000000..b37e33a64 --- /dev/null +++ b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch @@ -0,0 +1,59 @@ +Fix CVE-2018-6360: + +https://github.com/mpv-player/mpv/issues/5456 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-6360 +https://security-tracker.debian.org/tracker/CVE-2018-6360 + +Patch copied from upstream source repository: + +https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0d= c02568f + +From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001 +From: Ricardo Constantino +Date: Fri, 26 Jan 2018 11:26:27 +0000 +Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code + +lua isn't javascript. +--- + player/lua/ytdl_hook.lua | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua +index b480c21625..458c94af38 100644 +--- a/player/lua/ytdl_hook.lua ++++ b/player/lua/ytdl_hook.lua +@@ -84,6 +84,15 @@ local function edl_escape(url) + return "%" .. string.len(url) .. "%" .. url + end +=20 ++local function url_is_safe(url) ++ local proto =3D type(url) =3D=3D "string" and url:match("^(.+)://") o= r nil ++ local safe =3D proto and safe_protos[proto] ++ if not safe then ++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) ++ end ++ return safe ++end ++ + local function time_to_secs(time_string) + local ret +=20 +@@ -223,15 +232,6 @@ local function proto_is_dash(json) + or json["protocol"] =3D=3D "http_dash_segments" + end +=20 +-local function url_is_safe(url) +- local proto =3D type(url) =3D=3D "string" and url:match("^(.+)://") o= r nil +- local safe =3D proto and safe_protos[proto] +- if not safe then +- msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) +- end +- return safe +-end +- + local function add_single_video(json) + local streamurl =3D "" + local max_bitrate =3D 0 +--=20 +2.16.1 + diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-4.patch b/gnu/packages/= patches/mpv-CVE-2018-6360-4.patch new file mode 100644 index 000000000..dc3e272d3 --- /dev/null +++ b/gnu/packages/patches/mpv-CVE-2018-6360-4.patch @@ -0,0 +1,84 @@ +Fix CVE-2018-6360: + +https://github.com/mpv-player/mpv/issues/5456 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-6360 +https://security-tracker.debian.org/tracker/CVE-2018-6360 + +Patch copied from upstream source repository: + +https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454= 105c828 + +From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001 +From: Ricardo Constantino +Date: Fri, 26 Jan 2018 18:54:17 +0000 +Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls + +--- + player/lua/ytdl_hook.lua | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua +index 458c94af38..6c8e78657d 100644 +--- a/player/lua/ytdl_hook.lua ++++ b/player/lua/ytdl_hook.lua +@@ -264,18 +264,17 @@ local function add_single_video(json) + edl_track =3D edl_track_joined(track.fragments, + track.protocol, json.is_live, + track.fragment_base_url) +- local url =3D edl_track or track.url +- if not url_is_safe(url) then ++ if not edl_track and not url_is_safe(track.url) then + return + end + if track.acodec and track.acodec ~=3D "none" then + -- audio track + mp.commandv("audio-add", +- url, "auto", ++ edl_track or track.url, "auto", + track.format_note or "") + elseif track.vcodec and track.vcodec ~=3D "none" then + -- video track +- streamurl =3D url ++ streamurl =3D edl_track or track.url + end + end +=20 +@@ -284,6 +283,9 @@ local function add_single_video(json) + edl_track =3D edl_track_joined(json.fragments, json.protocol, + json.is_live, json.fragment_base_url) +=20 ++ if not edl_track and not url_is_safe(json.url) then ++ return ++ end + -- normal video or single track + streamurl =3D edl_track or json.url + set_http_headers(json.http_headers) +@@ -294,13 +296,7 @@ local function add_single_video(json) +=20 + msg.debug("streamurl: " .. streamurl) +=20 +- streamurl =3D streamurl:gsub("^data:", "data://", 1) +- +- if not url_is_safe(streamurl) then +- return +- end +- +- mp.set_property("stream-open-filename", streamurl) ++ mp.set_property("stream-open-filename", streamurl:gsub("^data:", "dat= a://", 1)) +=20 + mp.set_property("file-local-options/force-media-title", json.title) +=20 +@@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_loa= d_fail", 10, function () +=20 + msg.debug("EDL: " .. playlist) +=20 ++ if not playlist then ++ return ++ end ++ + -- can't change the http headers for each entry, so use t= he 1st + if json.entries[1] then + set_http_headers(json.entries[1].http_headers) +--=20 +2.16.1 + diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm index 8cbe590bf..8c0743745 100644 --- a/gnu/packages/video.scm +++ b/gnu/packages/video.scm @@ -6,7 +6,7 @@ ;;; Copyright =C2=A9 2015, 2016, 2017 Efraim Flashner ;;; Copyright =C2=A9 2015 Andy Patterson ;;; Copyright =C2=A9 2015 Ricardo Wurmus -;;; Copyright =C2=A9 2015, 2016, 2017 Alex Vong +;;; Copyright =C2=A9 2015, 2016, 2017, 2018 Alex Vong ;;; Copyright =C2=A9 2016, 2017 Alex Griffin ;;; Copyright =C2=A9 2016 Kei Kebreau ;;; Copyright =C2=A9 2016 Dmitry Nikolaev @@ -1018,6 +1018,10 @@ SVCD, DVD, 3ivx, DivX 3/4/5, WMV and H.264 movies.") (sha256 (base32 "1d2p6k3y9lqx8bpdal4grrj8ljy7pvd8qgdq8004fmr38afmbb7f")) + (patches (search-patches "mpv-CVE-2018-6360-1.patch" + "mpv-CVE-2018-6360-2.patch" + "mpv-CVE-2018-6360-3.patch" + "mpv-CVE-2018-6360-4.patch")) (file-name (string-append name "-" version ".tar.gz")))) (build-system waf-build-system) (native-inputs --=20 2.16.1 --=-=-= Content-Type: text/plain > [0] > https://github.com/mpv-player/mpv/issues/5456#issuecomment-362442132 --=-=-=--