Fix CVE-2018-6360: https://github.com/mpv-player/mpv/issues/5456 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 https://security-tracker.debian.org/tracker/CVE-2018-6360 Patch copied from upstream source repository: https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001 From: Ricardo Constantino Date: Fri, 26 Jan 2018 11:26:27 +0000 Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code lua isn't javascript. --- player/lua/ytdl_hook.lua | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua index b480c21625..458c94af38 100644 --- a/player/lua/ytdl_hook.lua +++ b/player/lua/ytdl_hook.lua @@ -84,6 +84,15 @@ local function edl_escape(url) return "%" .. string.len(url) .. "%" .. url end +local function url_is_safe(url) + local proto = type(url) == "string" and url:match("^(.+)://") or nil + local safe = proto and safe_protos[proto] + if not safe then + msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) + end + return safe +end + local function time_to_secs(time_string) local ret @@ -223,15 +232,6 @@ local function proto_is_dash(json) or json["protocol"] == "http_dash_segments" end -local function url_is_safe(url) - local proto = type(url) == "string" and url:match("^(.+)://") or nil - local safe = proto and safe_protos[proto] - if not safe then - msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) - end - return safe -end - local function add_single_video(json) local streamurl = "" local max_bitrate = 0 -- 2.16.1