# HG changeset patch # User reimar # Date 1367773353 0 # Node ID 5950fc0d4b53d4a512596b4b45f0e104bd7cb7c2 # Parent 47edff322a99cf4cf2ba61cff60c155c811ab66e Allow parsing arbitrary files as playlist only if explicitly enabled. diff -r 47edff322a99 -r 5950fc0d4b53 DOCS/man/en/mplayer.1 --- a/DOCS/man/en/mplayer.1 Sun May 05 17:02:31 2013 +0000 +++ b/DOCS/man/en/mplayer.1 Sun May 05 17:02:33 2013 +0000 @@ -1290,6 +1290,13 @@ FIXME: This needs to be clarified and documented thoroughly. . .TP +.B \-allow-dangerous-playlist-parsing +This enables parsing any file as a playlist if e.g. a server advertises +a file as playlist. +Only enable if you know all servers involved are trustworthy. +MPlayer's playlist code is not designed to handle malicious playlist files. +. +.TP .B \-rtc\-device Use the specified device for RTC timing. . diff -r 47edff322a99 -r 5950fc0d4b53 cfg-mplayer.h --- a/cfg-mplayer.h Sun May 05 17:02:31 2013 +0000 +++ b/cfg-mplayer.h Sun May 05 17:02:33 2013 +0000 @@ -307,6 +307,8 @@ {"noloop", &mpctx_s.loop_times, CONF_TYPE_FLAG, 0, 0, -1, NULL}, {"loop", &mpctx_s.loop_times, CONF_TYPE_INT, CONF_RANGE, -1, 10000, NULL}, + {"allow-dangerous-playlist-parsing", &allow_playlist_parsing, CONF_TYPE_FLAG, 0, 0, 1, NULL}, + {"noallow-dangerous-playlist-parsing", &allow_playlist_parsing, CONF_TYPE_FLAG, 0, 1, 0, NULL}, {"playlist", NULL, CONF_TYPE_STRING, CONF_NOCFG, 0, 0, NULL}, {"shuffle", NULL, CONF_TYPE_FLAG, CONF_NOCFG, 0, 0, NULL}, {"noshuffle", NULL, CONF_TYPE_FLAG, CONF_NOCFG, 0, 0, NULL}, diff -r 47edff322a99 -r 5950fc0d4b53 mplayer.c --- a/mplayer.c Sun May 05 17:02:31 2013 +0000 +++ b/mplayer.c Sun May 05 17:02:33 2013 +0000 @@ -330,6 +330,8 @@ static int crash_debug; #endif +static int allow_playlist_parsing; + /* This header requires all the global variable declarations. */ #include "cfg-mplayer.h" @@ -3245,8 +3247,12 @@ current_module = "handle_playlist"; mp_msg(MSGT_CPLAYER, MSGL_V, "Parsing playlist %s...\n", filename_recode(filename)); - entry = parse_playtree(mpctx->stream, use_gui); - mpctx->eof = playtree_add_playlist(entry); + if (allow_playlist_parsing) { + entry = parse_playtree(mpctx->stream, use_gui); + mpctx->eof = playtree_add_playlist(entry); + } else { + mp_msg(MSGT_CPLAYER, MSGL_ERR, "Playlist parsing disabled for security reasons. Ignoring file.\n"); + } goto goto_next_file; } mpctx->stream->start_pos += seek_to_byte;