It appears Lua's package paths try to load .lua files from the current working directory. Not only that, but also shared libraries. WHAT THE FUCK IS WHOEVER IS RESPONSIBLE FOR THIS FUCKING DOING? mpv isn't setting this package path; currently it's only extending it. In any sane world, this wouldn't be a default. Most programs use essentially random working directories and don't change it. I cannot comprehend what bullshit about "convenience" or whatever made them do something this broken and dangerous. Thousands of programs using Lua out there will try to randomly load random code from random directories. In mpv's case, this is so security relevant, because mpv is normally used from the command line, and you will most likely actually change into your media directory or whatever with the shell, and play a file from there. No, you don't want to load a (probably downloaded) shared library from this directory if a script try to load a system lib with the same name or so. I'm not sure why LUA_PATH_DEFAULT in luaconf.h (both upstream and the Debian version) put "./?.lua" at the end, but in any case, trying to load a module that doesn't exist nicely lists all package paths in order, and confirms it tries to load files from the working directory first (anyone can try this). Even if it didn't, this would be problematic at best. Note that scripts are _not_ sandboxed. They're allowed to load system libraries, which is also why we want to keep the non-idiotic parts of the package paths. Attempt to fix this by filtering out relative paths. This is a bit fragile and not very great for something security related, but probably the best we can do without having to make assumptions about the target system file system layout. Also, someone else can fix this for Windows. Also replace ":" with ";" (for the extra path). On a side note, this extra path addition is just in this function out of laziness, since I'd rather not have 2 functions with edit the package path. mpv in default configuration (i.e. no external scripts) is probably not affected. All builtin scripts only "require" preloaded modules, which, in a stroke of genius by the Lua developers, are highest priority in the load order. Otherwise, enjoy your semi-remote code execution bug. Completely unrelated this, I'm open for scripting languages and especially implementations which are all around better than Lua, and are suited for low footprint embedding. |
||
---|---|---|
.github | ||
DOCS | ||
TOOLS | ||
audio | ||
ci | ||
common | ||
demux | ||
etc | ||
filters | ||
input | ||
libmpv | ||
misc | ||
options | ||
osdep | ||
player | ||
stream | ||
sub | ||
ta | ||
test | ||
video | ||
waftools | ||
.gitignore | ||
.travis.yml | ||
Copyright | ||
LICENSE.GPL | ||
LICENSE.LGPL | ||
README.md | ||
RELEASE_NOTES | ||
VERSION | ||
appveyor.yml | ||
bootstrap.py | ||
mpv_talloc.h | ||
version.sh | ||
wscript | ||
wscript_build.py |
README.md
mpv
- External links
- Overview
- System requirements
- Downloads
- Changelog
- Compilation
- Release cycle
- Bug reports
- Contributing
- License
- Contact
External links
Overview
mpv is a free (as in freedom) media player for the command line. It supports a wide variety of media file formats, audio and video codecs, and subtitle types.
There is a FAQ.
Releases can be found on the release list.
System requirements
- A not too ancient Linux, Windows 7 or later, or OSX 10.8 or later.
- A somewhat capable CPU. Hardware decoding might help if the CPU is too slow to
decode video in realtime, but must be explicitly enabled with the
--hwdec
option. - A not too crappy GPU. mpv's focus is not on power-efficient playback on
embedded or integrated GPUs (for example, hardware decoding is not even
enabled by default). Low power GPUs may cause issues like tearing, stutter,
etc. The main video output uses shaders for video rendering and scaling,
rather than GPU fixed function hardware. On Windows, you might want to make
sure the graphics drivers are current. In some cases, ancient fallback video
output methods can help (such as
--vo=xv
on Linux), but this use is not recommended or supported.
Downloads
For semi-official builds and third-party packages please see mpv.io/installation.
Changelog
There is no complete changelog; however, changes to the player core interface are listed in the interface changelog.
Changes to the C API are documented in the client API changelog.
The release list has a summary of most of the important changes on every release.
Changes to the default key bindings are indicated in restore-old-bindings.conf.
Compilation
Compiling with full features requires development files for several external libraries. Below is a list of some important requirements.
The mpv build system uses waf, but we don't store it in the
repository. The ./bootstrap.py
script will download the latest version
of waf that was tested with the build system.
For a list of the available build options use ./waf configure --help
. If
you think you have support for some feature installed but configure fails to
detect it, the file build/config.log
may contain information about the
reasons for the failure.
NOTE: To avoid cluttering the output with unreadable spam, --help
only shows
one of the two switches for each option. If the option is autodetected by
default, the --disable-***
switch is printed; if the option is disabled by
default, the --enable-***
switch is printed. Either way, you can use
--enable-***
or --disable-**
regardless of what is printed by --help
.
To build the software you can use ./waf build
: the result of the compilation
will be located in build/mpv
. You can use ./waf install
to install mpv
to the prefix after it is compiled.
Example:
./bootstrap.py
./waf configure
./waf
./waf install
Essential dependencies (incomplete list):
- gcc or clang
- X development headers (xlib, xrandr, xext, xscrnsaver, xinerama, libvdpau, libGL, GLX, EGL, xv, ...)
- Audio output development headers (libasound/ALSA, pulseaudio)
- FFmpeg libraries (libavutil libavcodec libavformat libswscale libavfilter and either libswresample or libavresample)
- zlib
- iconv (normally provided by the system libc)
- libass (OSD, OSC, text subtitles)
- Lua (optional, required for the OSC pseudo-GUI and youtube-dl integration)
- libjpeg (optional, used for screenshots only)
- uchardet (optional, for subtitle charset detection)
- nvdec and vaapi libraries for hardware decoding on Linux (optional)
Libass dependencies (when building libass):
- gcc or clang, yasm on x86 and x86_64
- fribidi, freetype, fontconfig development headers (for libass)
- harfbuzz (optional, required for correct rendering of combining characters, particularly for correct rendering of non-English text on OSX, and Arabic/Indic scripts on any platform)
FFmpeg dependencies (when building FFmpeg):
- gcc or clang, yasm on x86 and x86_64
- OpenSSL or GnuTLS (have to be explicitly enabled when compiling FFmpeg)
- libx264/libmp3lame/libfdk-aac if you want to use encoding (have to be explicitly enabled when compiling FFmpeg)
- For native DASH playback, FFmpeg needs to be built with --enable-libxml2 (although there are security implications, and DASH support has lots of bugs).
- AV1 decoding support requires dav1d.
- For good nvidia support on Linux, make sure nv-codec-headers is installed and can be found by configure.
Most of the above libraries are available in suitable versions on normal Linux distributions. For ease of compiling the latest git master of everything, you may wish to use the separately available build wrapper (mpv-build) which first compiles FFmpeg libraries and libass, and then compiles the player statically linked against those.
If you want to build a Windows binary, you either have to use MSYS2 and MinGW, or cross-compile from Linux with MinGW. See Windows compilation.
Release cycle
Every other month, an arbitrary git snapshot is made, and is assigned a 0.X.0 version number. No further maintenance is done.
The goal of releases is to make Linux distributions happy. Linux distributions are also expected to apply their own patches in case of bugs and security issues.
Releases other than the latest release are unsupported and unmaintained.
See the release policy document for more information.
Bug reports
Please use the issue tracker provided by GitHub to send us bug reports or feature requests. Follow the template's instructions or the issue will likely be ignored or closed as invalid.
Using the bug tracker as place for simple questions is fine but IRC is recommended (see Contact below).
Contributing
Please read contribute.md.
For small changes you can just send us pull requests through GitHub. For bigger changes come and talk to us on IRC before you start working on them. It will make code review easier for both parties later on.
You can check the wiki or the issue tracker for ideas on what you could contribute with.
License
GPLv2 "or later" by default, LGPLv2.1 "or later" with --enable-lgpl
.
See details.
History
This software is based on the MPlayer project. Before mpv existed as a project, the code base was briefly developed under the mplayer2 project. For details, see the FAQ.
Contact
Most activity happens on the IRC channel and the github issue tracker.
- GitHub issue tracker: issue tracker (report bugs here)
- User IRC Channel:
#mpv
onirc.freenode.net
- Developer IRC Channel:
#mpv-devel
onirc.freenode.net