Bug#870233: smplayer: executes javascript code downloaded from insecure URL
Reinhard Tartler
siretart at gmail.com
Thu Jun 7 22:45:12 BST 2018
Sorry, I messed up Ricardo's email address in my previous follow-up, so
his reply went to me only. I'm quoting his input with his permission:
Older versions of SMPlayer downloaded a javascript function from
> http://updates.smplayer.info/yt.js in order to decrypt a signature,
> which it's necessary to play some Youtube videos (mostly music
> videos). Newer versions don't do it anymore because now SMPlayer
> downloads the original function from a Youtube page. If you consider
> this to be also insecure, you can disable it by commenting the line
> DEFINES += YT_USE_SIG in smplayer.pro.
It seems that I confused the define YT_USE_SIG (which is still enabled)
with the define YT_USE_*YT*SIG (which is currently commented out in
smplayer.pro). My bad, sorry. I'll add a patch to the debian packaging that
disables that shortly.
I'm also happy to upload it as soon as I hear back from Mateusz regarding
my question(s) about mongoose.
Thanks everyone!
--
regards,
Reinhard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-multimedia-maintainers/attachments/20180607/8e23a56c/attachment.html>
More information about the pkg-multimedia-maintainers
mailing list