Closed Vendicated closed 1 year ago
I'm pretty sure this is fixed by validating urls to make sure they're https. You should probably also remove the ability to pass custom flags or at least heavily restrict it
related #13
First of all, sorry for getting back to this only after 1.5 months and thank you so much for this issue. This is a serious oversight on my part and I will address it as soon as I can. I think I'll experiment with the native messaging protocol (which could incorporate quite a bit of the backend's functionality) and test it in the coming days, thank you again.
After much testing and pondering, I opted for explicit configuration of which protocols/URI-schemes a player should handle (and strict validation), with the defaults being only HTTP and HTTPS. This should reduce damage as much as possible, but I still feel like such things are issues with player more than the protocol. We can only mitigate abuse and still, the player ultimately is still able to execute code like the example you provided. That said, I am always open for suggestions and debate about things like these, so thank you for the report.
As part of the install process, you register the mpv:// protocol to open urls in mpv. Using this feature, any site can run arbitrary .so files on your system
This can be done via
mpv:///open?url=${URLENCODE(av://lavfi:ladspa=file=/some/evil/so/here.so)}
See also https://github.com/mpv-player/mpv/issues/7985
Here's a demonstration
https://user-images.githubusercontent.com/45497981/201778821-9330b6b4-5bac-4b2c-ab1c-e7c955bf2b01.mp4