60 lines
1.7 KiB
Diff
60 lines
1.7 KiB
Diff
Fix CVE-2018-6360:
|
|
|
|
https://github.com/mpv-player/mpv/issues/5456
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
|
|
https://security-tracker.debian.org/tracker/CVE-2018-6360
|
|
|
|
Patch copied from upstream source repository:
|
|
|
|
https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f
|
|
|
|
From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001
|
|
From: Ricardo Constantino <wiiaboo@gmail.com>
|
|
Date: Fri, 26 Jan 2018 11:26:27 +0000
|
|
Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code
|
|
|
|
lua isn't javascript.
|
|
---
|
|
player/lua/ytdl_hook.lua | 18 +++++++++---------
|
|
1 file changed, 9 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
|
|
index b480c21625..458c94af38 100644
|
|
--- a/player/lua/ytdl_hook.lua
|
|
+++ b/player/lua/ytdl_hook.lua
|
|
@@ -84,6 +84,15 @@ local function edl_escape(url)
|
|
return "%" .. string.len(url) .. "%" .. url
|
|
end
|
|
|
|
+local function url_is_safe(url)
|
|
+ local proto = type(url) == "string" and url:match("^(.+)://") or nil
|
|
+ local safe = proto and safe_protos[proto]
|
|
+ if not safe then
|
|
+ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
|
|
+ end
|
|
+ return safe
|
|
+end
|
|
+
|
|
local function time_to_secs(time_string)
|
|
local ret
|
|
|
|
@@ -223,15 +232,6 @@ local function proto_is_dash(json)
|
|
or json["protocol"] == "http_dash_segments"
|
|
end
|
|
|
|
-local function url_is_safe(url)
|
|
- local proto = type(url) == "string" and url:match("^(.+)://") or nil
|
|
- local safe = proto and safe_protos[proto]
|
|
- if not safe then
|
|
- msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
|
|
- end
|
|
- return safe
|
|
-end
|
|
-
|
|
local function add_single_video(json)
|
|
local streamurl = ""
|
|
local max_bitrate = 0
|
|
--
|
|
2.16.1
|
|
|