Hi Reinhard, Excerpts from Reinhard Tartler's message of juni 3, 2018 10:48 pm:
On Mon, Jul 31, 2017 at 1:48 AM Jonas Smedegaard <d...@jones.dk> wrote:smplayer includes code in src/basegui.cpp to download and (I guess) execute javascript code for parsing youtube paths. The download URL is http://updates.smplayer.info/yt.js which is insecure and therefore I suspect easy to replace with evil code.Apparently, this was already fixed upstream quite some time ago in package version 17.11.2~ds0-1 without mentioning this in debian/changelog. I'm therefore closing this bug manually.
Sorry, but I don't see any such change, and it seems the problematic code is still there:
$ git grep updates.smplayer.info src/links.h:#define URL_YT_CODE "http://updates.smplayer.info/yt.js";src/links.h:#define URL_VERSION_INFO "http://updates.smplayer.info/version_info.ini";
$ grep -C5 URL_YT_CODE src/basegui.cpp void BaseGui::YTUpdateScript() {
static CodeDownloader * downloader = 0;
if (!downloader) downloader = new CodeDownloader(this);
downloader->saveAs(Paths::configPath() + "/yt.js");
downloader->show();
downloader->download(QUrl(URL_YT_CODE));
}
#endif // YT_USE_YTSIG
#endif //YOUTUBE_SUPPORT
void BaseGui::gotForbidden() {
Could you perhaps reference the git commit you believe fixed this?
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
pgpqPAQkGR3c4.pgp
Description: PGP signature
