diff options
| author | Danny Rawlins <monster.romster@gmail.com> | 2018-02-18 18:19:41 +1100 |
|---|---|---|
| committer | Danny Rawlins <monster.romster@gmail.com> | 2018-02-18 18:19:41 +1100 |
| commit | 38186fee3e8aa077fa2cf27f76cf567987236800 (patch) | |
| tree | 1436eb69a7c34b8f22346255f166cf53bd9e3390 /mpv | |
| parent | 9207ba0a89099f2bb2c44ce505496563880067a7 (diff) | |
| download | contrib-38186fee3e8aa077fa2cf27f76cf567987236800.tar.gz contrib-38186fee3e8aa077fa2cf27f76cf567987236800.tar.xz | |
mpv: 0.27.0 -> 0.27.2 closes FS#1588
Diffstat (limited to 'mpv')
| -rw-r--r-- | mpv/.md5sum | 3 | ||||
| -rw-r--r-- | mpv/.signature | 7 | ||||
| -rw-r--r-- | mpv/09_ytdl-hook-whitelist-protocols.patch | 105 | ||||
| -rw-r--r-- | mpv/Pkgfile | 10 |
4 files changed, 7 insertions, 118 deletions
diff --git a/mpv/.md5sum b/mpv/.md5sum index 2fbcec1e8..4c938aa82 100644 --- a/mpv/.md5sum +++ b/mpv/.md5sum @@ -1,2 +1 @@ -ab865014635762ab84a8e682ab9dedbe 09_ytdl-hook-whitelist-protocols.patch -ec86f42b091d891f9a932de0f6e873ad mpv-v0.27.0.tar.gz +8cfb48e921e58c0d9d181d96d4809beb mpv-v0.27.2.tar.gz diff --git a/mpv/.signature b/mpv/.signature index 49e7e3573..cdb942140 100644 --- a/mpv/.signature +++ b/mpv/.signature @@ -1,6 +1,5 @@ untrusted comment: verify with /etc/ports/contrib.pub -RWSagIOpLGJF3/8znsF9QZG+qu1DfjHvuZatuZzZTDt8Wna+swOMl79Mb4Kpz/9slTZo+HPEUn7I2pBOeNRwCqyYGEVq2JNMyw8= -SHA256 (Pkgfile) = 68a6708f0901499c66f9bb8163dcbba9701296f61def56e2ba8242ae52659f56 +RWSagIOpLGJF3xXPXkv7MnjVpO3iJfGIuzsGv6/l3aMkGMaIYizrBP3+cIv87OAX06lCP0RPnS2oi4QGC4Uu1pY8HdMpBr+wXgI= +SHA256 (Pkgfile) = 222c4702749f1c5471e52646c688b60f759c9f19d02cb52de2655f7c034c5481 SHA256 (.footprint) = 3872a22695e9c213f10e0bd6c0ae8fb7c2bba5425dd68eb1ec02c9e0ba171d09 -SHA256 (mpv-v0.27.0.tar.gz) = 341d8bf18b75c1f78d5b681480b5b7f5c8b87d97a0d4f53a5648ede9c219a49c -SHA256 (09_ytdl-hook-whitelist-protocols.patch) = 6f6bc517c3b1d72a070af64df14428aee76e6cd123b934721851649833061918 +SHA256 (mpv-v0.27.2.tar.gz) = 2ad104d83fd3b2b9457716615acad57e479fd1537b8fc5e37bfe9065359b50be diff --git a/mpv/09_ytdl-hook-whitelist-protocols.patch b/mpv/09_ytdl-hook-whitelist-protocols.patch deleted file mode 100644 index c5c4f54f4..000000000 --- a/mpv/09_ytdl-hook-whitelist-protocols.patch +++ /dev/null @@ -1,105 +0,0 @@ -Description: ytdl_hook: whitelist protocols from urls retrieved from youtube-dl - This patch is a combination of these upstream commits: - - e6e6b0dcc7e9 ("ytdl_hook: whitelist protocols from urls retrieved from - youtube-dl") - - f8263e82cc74 ("ytdl_hook: move url_is_safe earlier in code") - - ce42a965330d ("ytdl_hook: fix safe url checking with EDL urls") - . - jcowgill: backported to 0.27 - Fixes CVE-2018-6360 -Author: Ricardo Constantino <wiiaboo@gmail.com> -Bug: https://github.com/mpv-player/mpv/issues/5456 -Bug-Debian: https://bugs.debian.org/888654 -Applied-Upstream: v0.29 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ - ---- a/player/lua/ytdl_hook.lua -+++ b/player/lua/ytdl_hook.lua -@@ -15,6 +15,18 @@ local ytdl = { - - local chapter_list = {} - -+function Set (t) -+ local set = {} -+ for _, v in pairs(t) do set[v] = true end -+ return set -+end -+ -+local safe_protos = Set { -+ "http", "https", "ftp", "ftps", -+ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte", -+ "data" -+} -+ - local function exec(args) - local ret = utils.subprocess({args = args}) - return ret.status, ret.stdout, ret -@@ -71,6 +83,15 @@ local function edl_escape(url) - return "%" .. string.len(url) .. "%" .. url - end - -+local function url_is_safe(url) -+ local proto = type(url) == "string" and url:match("^(.+)://") or nil -+ local safe = proto and safe_protos[proto] -+ if not safe then -+ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) -+ end -+ return safe -+end -+ - local function time_to_secs(time_string) - local ret - -@@ -182,6 +203,9 @@ local function edl_track_joined(fragment - - for i = offset, #fragments do - local fragment = fragments[i] -+ if not url_is_safe(join_url(base, fragment)) then -+ return nil -+ end - table.insert(parts, edl_escape(join_url(base, fragment))) - if fragment.duration then - parts[#parts] = -@@ -201,6 +225,9 @@ local function add_single_video(json) - edl_track = edl_track_joined(track.fragments, - track.protocol, json.is_live, - track.fragment_base_url) -+ if not edl_track and not url_is_safe(track.url) then -+ return -+ end - if track.acodec and track.acodec ~= "none" then - -- audio track - mp.commandv("audio-add", -@@ -217,6 +244,9 @@ local function add_single_video(json) - edl_track = edl_track_joined(json.fragments, json.protocol, - json.is_live, json.fragment_base_url) - -+ if not edl_track and not url_is_safe(json.url) then -+ return -+ end - -- normal video or single track - streamurl = edl_track or json.url - set_http_headers(json.http_headers) -@@ -408,6 +438,10 @@ mp.add_hook("on_load", 10, function () - - msg.debug("EDL: " .. playlist) - -+ if not playlist then -+ return -+ end -+ - -- can't change the http headers for each entry, so use the 1st - if json.entries[1] then - set_http_headers(json.entries[1].http_headers) -@@ -475,7 +509,9 @@ mp.add_hook("on_load", 10, function () - site = entry["webpage_url"] - end - -- playlist = playlist .. "ytdl://" .. site .. "\n" -+ if url_is_safe(site) then -+ playlist = playlist .. "ytdl://" .. site .. "\n" -+ end - end - - mp.set_property("stream-open-filename", "memory://" .. playlist) diff --git a/mpv/Pkgfile b/mpv/Pkgfile index 8fbe91f6a..bd1d4ee3d 100644 --- a/mpv/Pkgfile +++ b/mpv/Pkgfile @@ -5,10 +5,9 @@ # Optional: youtube-dl libquvi libdvdnav libbluray libcdio-paranoia libvdpau name=mpv -version=0.27.0 -release=2 -source=(https://github.com/$name-player/$name/archive/v$version/$name-v$version.tar.gz \ - 09_ytdl-hook-whitelist-protocols.patch) +version=0.27.2 +release=1 +source=(https://github.com/$name-player/$name/archive/v$version/$name-v$version.tar.gz) build() { cd $name-$version @@ -16,9 +15,6 @@ build() { [ -e '/usr/lib/pkgconfig/libcdio_cdda.pc' ] && PKGMK_MPV+=' --enable-cdda' [ -e '/usr/lib/pkgconfig/dvdnav.pc' ] && PKGMK_MPV+=' --enable-dvdread --enable-dvdnav' - # CVE-2018-6360 fix - patch -p1 -i $SRC/09_ytdl-hook-whitelist-protocols.patch - ./bootstrap.py ./waf configure ${PKGMK_MPV} \ --prefix=/usr \ |