diff options
author | Mark H Weaver <mhw@netris.org> | 2018-02-09 01:46:34 -0500 |
---|---|---|
committer | Mark H Weaver <mhw@netris.org> | 2018-02-09 01:46:34 -0500 |
commit | efe2a2833c6d306d0c60127fdfebaff6dc415b4c (patch) | |
tree | bf842134e1a149770907e1956d28c3a6b207b3f7 /gnu/packages/patches/mpv-CVE-2018-6360-2.patch | |
parent | 53f826cd0f429864d46fc3bf6305c14356d0b2ad (diff) | |
parent | 8d0edc8246389c0f2bb1c8e9c9190c312746a4b4 (diff) | |
download | guix-efe2a2833c6d306d0c60127fdfebaff6dc415b4c.tar.gz |
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches/mpv-CVE-2018-6360-2.patch')
-rw-r--r-- | gnu/packages/patches/mpv-CVE-2018-6360-2.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch new file mode 100644 index 0000000000..b37e33a641 --- /dev/null +++ b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch @@ -0,0 +1,59 @@ +Fix CVE-2018-6360: + +https://github.com/mpv-player/mpv/issues/5456 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 +https://security-tracker.debian.org/tracker/CVE-2018-6360 + +Patch copied from upstream source repository: + +https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f + +From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001 +From: Ricardo Constantino <wiiaboo@gmail.com> +Date: Fri, 26 Jan 2018 11:26:27 +0000 +Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code + +lua isn't javascript. +--- + player/lua/ytdl_hook.lua | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua +index b480c21625..458c94af38 100644 +--- a/player/lua/ytdl_hook.lua ++++ b/player/lua/ytdl_hook.lua +@@ -84,6 +84,15 @@ local function edl_escape(url) + return "%" .. string.len(url) .. "%" .. url + end + ++local function url_is_safe(url) ++ local proto = type(url) == "string" and url:match("^(.+)://") or nil ++ local safe = proto and safe_protos[proto] ++ if not safe then ++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) ++ end ++ return safe ++end ++ + local function time_to_secs(time_string) + local ret + +@@ -223,15 +232,6 @@ local function proto_is_dash(json) + or json["protocol"] == "http_dash_segments" + end + +-local function url_is_safe(url) +- local proto = type(url) == "string" and url:match("^(.+)://") or nil +- local safe = proto and safe_protos[proto] +- if not safe then +- msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) +- end +- return safe +-end +- + local function add_single_video(json) + local streamurl = "" + local max_bitrate = 0 +-- +2.16.1 + |