From 9b5672ebedf22e1c0d3ba81791c64087e369ee02 Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Sun, 15 Nov 2020 22:06:59 -0500 Subject: manpage: document improved --playlist security Recent versions of mpv have applied security checks to --playlist that previously only existed if playlist files were played as an input directly. This commit documents this change and how to work around it, in the event that playlist files are trusted. --- DOCS/man/options.rst | 46 ++++++++++++++++++++++++++++------------------ stream/stream.c | 3 +-- 2 files changed, 29 insertions(+), 20 deletions(-) diff --git a/DOCS/man/options.rst b/DOCS/man/options.rst index 94b9d2f778..8b437bdfa8 100644 --- a/DOCS/man/options.rst +++ b/DOCS/man/options.rst @@ -236,27 +236,40 @@ Playback Control The value ``no`` is a deprecated alias for ``auto``. ``--playlist=`` - Play files according to a playlist file (Supports some common formats. If + Play files according to a playlist file. Supports some common formats. If no format is detected, it will be treated as list of files, separated by - newline characters. Note that XML playlist formats are not supported.) + newline characters. You may need this option to load plaintext files as + a playlist. Note that XML playlist formats are not supported. - You can play playlists directly and without this option, however, this - option disables any security mechanisms that might be in place. You may - also need this option to load plaintext files as playlist. + This option forces ``--demuxer=playlist`` to interpret the playlist file. + Some playlist formats, notably CUE and optical disc formats, need to use + different demuxers and will not work with this option. They still can be + played directly, without using this option. + + You can play playlists directly, without this option. Before mpv version + 0.31.0, this option disabled any security mechanisms that might be in + place, but since 0.31.0 it uses the same security mechanisms as playing a + playlist file directly. If you trust the playlist file, you can disable + any security checks with ``--load-unsafe-playlists``. Because playlists + can load other playlist entries, consider applying this option only to the + playlist itself and not its entries, using something along these lines: + + ``mpv --{ --playlist=filename --load-unsafe-playlists --}`` .. warning:: - The way mpv uses playlist files via ``--playlist`` is not safe against - maliciously constructed files. Such files may trigger harmful actions. - This has been the case for all mpv and MPlayer versions, but - unfortunately this fact was not well documented earlier, and some people - have even misguidedly recommended use of ``--playlist`` with untrusted - sources. Do NOT use ``--playlist`` with random internet sources or files - you do not trust! + The way older versions of mpv played playlist files via ``--playlist`` + was not safe against maliciously constructed files. Such files may + trigger harmful actions. This has been the case for all verions of + mpv prior to 0.31.0, and all MPlayer versions, but unfortunately this + fact was not well documented earlier, and some people have even + misguidedly recommended the use of ``--playlist`` with untrusted + sources. Do NOT use ``--playlist`` with random internet sources or + files you do not trust if you are not sure your mpv is at least 0.31.0. - Playlist can contain entries using other protocols, such as local files, - or (most severely), special protocols like ``avdevice://``, which are - inherently unsafe. + In particular, playlists can contain entries using protocols other than + local files, such as special protocols like ``avdevice://`` (which are + inherently unsafe). ``--chapter-merge-threshold=`` Threshold for merging almost consecutive ordered chapter parts in @@ -337,9 +350,6 @@ Playback Control location. (Instead, the behavior is as if the playlist entries were provided directly to mpv command line or ``loadfile`` command.) - Note that ``--playlist`` always loads all entries, so you use that instead - if you really have the need for this functionality. - ``--access-references=`` Follow any references in the file being opened (default: yes). Disabling this is helpful if the file is automatically scanned (e.g. thumbnail diff --git a/stream/stream.c b/stream/stream.c index f422c5d08d..116dcef4a4 100644 --- a/stream/stream.c +++ b/stream/stream.c @@ -441,8 +441,7 @@ int stream_create_with_args(struct stream_open_args *args, struct stream **ret) if (r == STREAM_UNSAFE) { mp_err(log, "\nRefusing to load potentially unsafe URL from a playlist.\n" - "Use --playlist=file or the --load-unsafe-playlists option to " - "load it anyway.\n\n"); + "Use the --load-unsafe-playlists option to load it anyway.\n\n"); } else if (r == STREAM_NO_MATCH || r == STREAM_UNSUPPORTED) { mp_err(log, "No protocol handler found to open URL %s\n", args->url); mp_err(log, "The protocol is either unsupported, or was disabled " -- cgit v1.2.3