[MPlayer-cvslog] r36242 - in branches/1.1: . DOCS/man/en/mplayer.1 asxparser.c cfg-mplayer.h mplayer.c

reimar subversion at mplayerhq.hu
Sun May 5 19:18:01 CEST 2013 

Author: reimar
Date: Sun May  5 19:18:01 2013
New Revision: 36242

Log:
Merge playlist fixes.

These were revisions 36238, 36239, 36240 and 36241 from trunk.

Modified:
   branches/1.1/   (props changed)
   branches/1.1/DOCS/man/en/mplayer.1
   branches/1.1/asxparser.c
   branches/1.1/cfg-mplayer.h
   branches/1.1/mplayer.c

Modified: branches/1.1/DOCS/man/en/mplayer.1
==============================================================================
--- branches/1.1/DOCS/man/en/mplayer.1	Sun May  5 19:02:35 2013	(r36241)
+++ branches/1.1/DOCS/man/en/mplayer.1	Sun May  5 19:18:01 2013	(r36242)
@@ -1259,6 +1259,15 @@ Expand TEXT only if the property NAME is
 Play files according to a playlist file (ASX, Winamp, SMIL, or
 one-file-per-line format).
 .br
+.I WARNING:
+The way MPlayer parses and uses playlist files is not safe against
+maliciously constructed files.
+Such files may trigger harmful actions.
+This has been the case for all MPlayer versions, but unfortunately this
+fact was not well documented earlier, and some people have even misguidedly
+recommended use of -playlist with untrusted sources.
+Do NOT use -playlist with random internet sources or files you don't trust!
+.br
 .I NOTE:
 This option is considered an entry so options found after it will apply
 only to the elements of this playlist.
@@ -1266,6 +1275,13 @@ only to the elements of this playlist.
 FIXME: This needs to be clarified and documented thoroughly.
 .
 .TP
+.B \-allow-dangerous-playlist-parsing
+This enables parsing any file as a playlist if e.g. a server advertises
+a file as playlist.
+Only enable if you know all servers involved are trustworthy.
+MPlayer's playlist code is not designed to handle malicious playlist files.
+.
+.TP
 .B \-rtc\-device <device>
 Use the specified device for RTC timing.
 .

Modified: branches/1.1/asxparser.c
==============================================================================
--- branches/1.1/asxparser.c	Sun May  5 19:02:35 2013	(r36241)
+++ branches/1.1/asxparser.c	Sun May  5 19:18:01 2013	(r36242)
@@ -388,7 +388,7 @@ asx_get_element(ASX_Parser_t* parser,cha
 
 static void
 asx_parse_param(ASX_Parser_t* parser, char** attribs, play_tree_t* pt) {
-  char *name,*val;
+  char *name = NULL,*val = NULL;
 
   name = asx_get_attrib("NAME",attribs);
   if(!name) {
@@ -402,9 +402,11 @@ asx_parse_param(ASX_Parser_t* parser, ch
       mp_msg(MSGT_PLAYTREE,MSGL_WARN,"=%s\n",val);
     else
       mp_msg(MSGT_PLAYTREE,MSGL_WARN,"\n");
-    return;
+    goto err_out;
   }
-  play_tree_set_param(pt,name,val);
+  mp_msg(MSGT_PLAYTREE, MSGL_ERR, "Support for specifying parameters in playlists has been disabled.\n");
+//  play_tree_set_param(pt,name,val);
+err_out:
   free(name);
   free(val);
 }

Modified: branches/1.1/cfg-mplayer.h
==============================================================================
--- branches/1.1/cfg-mplayer.h	Sun May  5 19:02:35 2013	(r36241)
+++ branches/1.1/cfg-mplayer.h	Sun May  5 19:18:01 2013	(r36242)
@@ -306,6 +306,8 @@ const m_option_t mplayer_opts[]={
 
     {"noloop", &mpctx_s.loop_times, CONF_TYPE_FLAG, 0, 0, -1, NULL},
     {"loop", &mpctx_s.loop_times, CONF_TYPE_INT, CONF_RANGE, -1, 10000, NULL},
+    {"allow-dangerous-playlist-parsing", &allow_playlist_parsing, CONF_TYPE_FLAG, 0, 0, 1, NULL},
+    {"noallow-dangerous-playlist-parsing", &allow_playlist_parsing, CONF_TYPE_FLAG, 0, 1, 0, NULL},
     {"playlist", NULL, CONF_TYPE_STRING, CONF_NOCFG, 0, 0, NULL},
     {"shuffle", NULL, CONF_TYPE_FLAG, CONF_NOCFG, 0, 0, NULL},
     {"noshuffle", NULL, CONF_TYPE_FLAG, CONF_NOCFG, 0, 0, NULL},

Modified: branches/1.1/mplayer.c
==============================================================================
--- branches/1.1/mplayer.c	Sun May  5 19:02:35 2013	(r36241)
+++ branches/1.1/mplayer.c	Sun May  5 19:18:01 2013	(r36242)
@@ -328,6 +328,8 @@ static char *prog_path;
 static int crash_debug;
 #endif
 
+static int allow_playlist_parsing;
+
 /* This header requires all the global variable declarations. */
 #include "cfg-mplayer.h"
 
@@ -3234,8 +3236,12 @@ play_next_file:
         current_module = "handle_playlist";
         mp_msg(MSGT_CPLAYER, MSGL_V, "Parsing playlist %s...\n",
                filename_recode(filename));
-        entry      = parse_playtree(mpctx->stream, use_gui);
-        mpctx->eof = playtree_add_playlist(entry);
+        if (allow_playlist_parsing) {
+            entry      = parse_playtree(mpctx->stream, use_gui);
+            mpctx->eof = playtree_add_playlist(entry);
+        } else {
+            mp_msg(MSGT_CPLAYER, MSGL_ERR, "Playlist parsing disabled for security reasons. Ignoring file.\n");
+        }
         goto goto_next_file;
     }
     mpctx->stream->start_pos += seek_to_byte;

More information about the MPlayer-cvslog mailing list