Fix CVE-2018-6360: https://github.com/mpv-player/mpv/issues/5456 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 https://security-tracker.debian.org/tracker/CVE-2018-6360 Patch copied from upstream source repository: https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454105c828 From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001 From: Ricardo Constantino Date: Fri, 26 Jan 2018 18:54:17 +0000 Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls --- player/lua/ytdl_hook.lua | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua index 458c94af38..6c8e78657d 100644 --- a/player/lua/ytdl_hook.lua +++ b/player/lua/ytdl_hook.lua @@ -264,18 +264,17 @@ local function add_single_video(json) edl_track = edl_track_joined(track.fragments, track.protocol, json.is_live, track.fragment_base_url) - local url = edl_track or track.url - if not url_is_safe(url) then + if not edl_track and not url_is_safe(track.url) then return end if track.acodec and track.acodec ~= "none" then -- audio track mp.commandv("audio-add", - url, "auto", + edl_track or track.url, "auto", track.format_note or "") elseif track.vcodec and track.vcodec ~= "none" then -- video track - streamurl = url + streamurl = edl_track or track.url end end @@ -284,6 +283,9 @@ local function add_single_video(json) edl_track = edl_track_joined(json.fragments, json.protocol, json.is_live, json.fragment_base_url) + if not edl_track and not url_is_safe(json.url) then + return + end -- normal video or single track streamurl = edl_track or json.url set_http_headers(json.http_headers) @@ -294,13 +296,7 @@ local function add_single_video(json) msg.debug("streamurl: " .. streamurl) - streamurl = streamurl:gsub("^data:", "data://", 1) - - if not url_is_safe(streamurl) then - return - end - - mp.set_property("stream-open-filename", streamurl) + mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1)) mp.set_property("file-local-options/force-media-title", json.title) @@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function () msg.debug("EDL: " .. playlist) + if not playlist then + return + end + -- can't change the http headers for each entry, so use the 1st if json.entries[1] then set_http_headers(json.entries[1].http_headers) -- 2.16.1