Description
The recent commits e6e6b0d, f8263e8 and ce42a96 fix and issue whereby mpv could be convinced to play a "non-safe" URL from a remote source.
Reproduction steps
An attacker convinces has the victim play an HTTP(S) URL.
$ mpv https://example.org/play.flv
The URL gets processed by the ytdl_hook script.
youtube-dl attempts to extract videos from the URL by contacting the HTTP server, which
responds with something like (text/html mime typed) :
<html>
<head>
</head>
<body>
<video>
<source src="av://lavfi:ladspa=file=/home/user/Downloads/libevil.so"></source>
</video>
</body>
</html>
As youtube-dl does not perform any validation on the extracted URLs for <video> tags, the av://lavfi URL gets passed back to the hook script.
Note that there are likely many ways in which youtube-dl can return "bad" URLs.
The hook script then passes the extracted URL to mpv, which does not apply the usual safe-protocol only checks.
As shown in the example above, this URL can be, for instance, used to dlopen() arbitrary files on the filesystem using the ffmpeg lavfi ladspa plugin.