summary refs log tree commit diff
path: root/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/mpv-CVE-2018-6360-2.patch')
-rw-r--r--gnu/packages/patches/mpv-CVE-2018-6360-2.patch59
1 files changed, 59 insertions, 0 deletions
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
new file mode 100644
index 0000000000..b37e33a641
--- /dev/null
+++ b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
@@ -0,0 +1,59 @@
+Fix CVE-2018-6360:
+
+https://github.com/mpv-player/mpv/issues/5456
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
+https://security-tracker.debian.org/tracker/CVE-2018-6360
+
+Patch copied from upstream source repository:
+
+https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f
+
+From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001
+From: Ricardo Constantino <wiiaboo@gmail.com>
+Date: Fri, 26 Jan 2018 11:26:27 +0000
+Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code
+
+lua isn't javascript.
+---
+ player/lua/ytdl_hook.lua | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
+index b480c21625..458c94af38 100644
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -84,6 +84,15 @@ local function edl_escape(url)
+     return "%" .. string.len(url) .. "%" .. url
+ end
+ 
++local function url_is_safe(url)
++    local proto = type(url) == "string" and url:match("^(.+)://") or nil
++    local safe = proto and safe_protos[proto]
++    if not safe then
++        msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
++    end
++    return safe
++end
++
+ local function time_to_secs(time_string)
+     local ret
+ 
+@@ -223,15 +232,6 @@ local function proto_is_dash(json)
+            or json["protocol"] == "http_dash_segments"
+ end
+ 
+-local function url_is_safe(url)
+-    local proto = type(url) == "string" and url:match("^(.+)://") or nil
+-    local safe = proto and safe_protos[proto]
+-    if not safe then
+-        msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
+-    end
+-    return safe
+-end
+-
+ local function add_single_video(json)
+     local streamurl = ""
+     local max_bitrate = 0
+-- 
+2.16.1
+
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-23 20:44:08 +0000