mpv: 0.27.0 -> 0.27.2 closes FS#1588

mpv/.md5sum

@@ -1,2 +1 @@
-ab865014635762ab84a8e682ab9dedbe  09_ytdl-hook-whitelist-protocols.patch
-ec86f42b091d891f9a932de0f6e873ad  mpv-v0.27.0.tar.gz
+8cfb48e921e58c0d9d181d96d4809beb  mpv-v0.27.2.tar.gz

mpv/.signature

@@ -1,6 +1,5 @@
 untrusted comment: verify with /etc/ports/contrib.pub
-RWSagIOpLGJF3/8znsF9QZG+qu1DfjHvuZatuZzZTDt8Wna+swOMl79Mb4Kpz/9slTZo+HPEUn7I2pBOeNRwCqyYGEVq2JNMyw8=
-SHA256 (Pkgfile) = 68a6708f0901499c66f9bb8163dcbba9701296f61def56e2ba8242ae52659f56
+RWSagIOpLGJF3xXPXkv7MnjVpO3iJfGIuzsGv6/l3aMkGMaIYizrBP3+cIv87OAX06lCP0RPnS2oi4QGC4Uu1pY8HdMpBr+wXgI=
+SHA256 (Pkgfile) = 222c4702749f1c5471e52646c688b60f759c9f19d02cb52de2655f7c034c5481
 SHA256 (.footprint) = 3872a22695e9c213f10e0bd6c0ae8fb7c2bba5425dd68eb1ec02c9e0ba171d09
-SHA256 (mpv-v0.27.0.tar.gz) = 341d8bf18b75c1f78d5b681480b5b7f5c8b87d97a0d4f53a5648ede9c219a49c
-SHA256 (09_ytdl-hook-whitelist-protocols.patch) = 6f6bc517c3b1d72a070af64df14428aee76e6cd123b934721851649833061918
+SHA256 (mpv-v0.27.2.tar.gz) = 2ad104d83fd3b2b9457716615acad57e479fd1537b8fc5e37bfe9065359b50be

mpv/09_ytdl-hook-whitelist-protocols.patch

@@ -1,105 +0,0 @@
-Description: ytdl_hook: whitelist protocols from urls retrieved from youtube-dl
- This patch is a combination of these upstream commits:
- - e6e6b0dcc7e9 ("ytdl_hook: whitelist protocols from urls retrieved from
-   youtube-dl")
- - f8263e82cc74 ("ytdl_hook: move url_is_safe earlier in code")
- - ce42a965330d ("ytdl_hook: fix safe url checking with EDL urls")
- .
- jcowgill: backported to 0.27
- Fixes CVE-2018-6360
-Author: Ricardo Constantino <wiiaboo@gmail.com>
-Bug: https://github.com/mpv-player/mpv/issues/5456
-Bug-Debian: https://bugs.debian.org/888654
-Applied-Upstream: v0.29
----
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
-
---- a/player/lua/ytdl_hook.lua
-+++ b/player/lua/ytdl_hook.lua
-@@ -15,6 +15,18 @@ local ytdl = {
- 
- local chapter_list = {}
- 
-+function Set (t)
-+    local set = {}
-+    for _, v in pairs(t) do set[v] = true end
-+    return set
-+end
-+
-+local safe_protos = Set {
-+    "http", "https", "ftp", "ftps",
-+    "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte",
-+    "data"
-+}
-+
- local function exec(args)
-     local ret = utils.subprocess({args = args})
-     return ret.status, ret.stdout, ret
-@@ -71,6 +83,15 @@ local function edl_escape(url)
-     return "%" .. string.len(url) .. "%" .. url
- end
- 
-+local function url_is_safe(url)
-+    local proto = type(url) == "string" and url:match("^(.+)://") or nil
-+    local safe = proto and safe_protos[proto]
-+    if not safe then
-+        msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
-+    end
-+    return safe
-+end
-+
- local function time_to_secs(time_string)
-     local ret
- 
-@@ -182,6 +203,9 @@ local function edl_track_joined(fragment
- 
-     for i = offset, #fragments do
-         local fragment = fragments[i]
-+        if not url_is_safe(join_url(base, fragment)) then
-+            return nil
-+        end
-         table.insert(parts, edl_escape(join_url(base, fragment)))
-         if fragment.duration then
-             parts[#parts] =
-@@ -201,6 +225,9 @@ local function add_single_video(json)
-             edl_track = edl_track_joined(track.fragments,
-                 track.protocol, json.is_live,
-                 track.fragment_base_url)
-+            if not edl_track and not url_is_safe(track.url) then
-+                return
-+            end
-             if track.acodec and track.acodec ~= "none" then
-                 -- audio track
-                 mp.commandv("audio-add",
-@@ -217,6 +244,9 @@ local function add_single_video(json)
-         edl_track = edl_track_joined(json.fragments, json.protocol,
-             json.is_live, json.fragment_base_url)
- 
-+        if not edl_track and not url_is_safe(json.url) then
-+            return
-+        end
-         -- normal video or single track
-         streamurl = edl_track or json.url
-         set_http_headers(json.http_headers)
-@@ -408,6 +438,10 @@ mp.add_hook("on_load", 10, function ()
- 
-                 msg.debug("EDL: " .. playlist)
- 
-+                if not playlist then
-+                    return
-+                end
-+
-                 -- can't change the http headers for each entry, so use the 1st
-                 if json.entries[1] then
-                     set_http_headers(json.entries[1].http_headers)
-@@ -475,7 +509,9 @@ mp.add_hook("on_load", 10, function ()
-                         site = entry["webpage_url"]
-                     end
- 
--                    playlist = playlist .. "ytdl://" .. site .. "\n"
-+                    if url_is_safe(site) then
-+                        playlist = playlist .. "ytdl://" .. site .. "\n"
-+                    end
-                 end
- 
-                 mp.set_property("stream-open-filename", "memory://" .. playlist)

mpv/Pkgfile

@@ -5,10 +5,9 @@
 # Optional:    youtube-dl libquvi libdvdnav libbluray libcdio-paranoia libvdpau
 
 name=mpv
-version=0.27.0
-release=2
-source=(https://github.com/$name-player/$name/archive/v$version/$name-v$version.tar.gz \
-    09_ytdl-hook-whitelist-protocols.patch)
+version=0.27.2
+release=1
+source=(https://github.com/$name-player/$name/archive/v$version/$name-v$version.tar.gz)
 
 build() {
 	cd $name-$version
@@ -16,9 +15,6 @@ build() {
 	[ -e '/usr/lib/pkgconfig/libcdio_cdda.pc' ] && PKGMK_MPV+=' --enable-cdda'
 	[ -e '/usr/lib/pkgconfig/dvdnav.pc' ] && PKGMK_MPV+=' --enable-dvdread --enable-dvdnav'
 
-	# CVE-2018-6360 fix
-	patch -p1 -i $SRC/09_ytdl-hook-whitelist-protocols.patch
-
 	./bootstrap.py
 	./waf configure ${PKGMK_MPV} \
 		--prefix=/usr \