From 5080451829505842b16d4a50f398ad44560a3e48 Mon Sep 17 00:00:00 2001
From: Damien Elmes <gpg@ankiweb.net>
Date: Sat, 10 May 2025 18:38:58 +1000
Subject: [PATCH] Disable YouTube DL in mpv

mpv looks for ytdl on the path, which includes the CWD on Windows.
A malicious shared deck could place an executable called yt-dlp.exe in the
media folder, which mpv would then helpfully invoke the first time
a YouTube link was encountered.

A big thank you to Michael Lappas for the report.
---
 qt/aqt/mpv.py   | 1 +
 qt/aqt/sound.py | 1 +
 2 files changed, 2 insertions(+)

diff --git a/qt/aqt/mpv.py b/qt/aqt/mpv.py
index 46d723766..ce0ba3da9 100644
--- a/qt/aqt/mpv.py
+++ b/qt/aqt/mpv.py
@@ -88,6 +88,7 @@ class MPVBase:
         "--keep-open=no",
         "--autoload-files=no",
         "--gapless-audio=no",
+        "--no-ytdl",
     ]
 
     if is_win:
diff --git a/qt/aqt/sound.py b/qt/aqt/sound.py
index 55e052e1d..11f957a84 100644
--- a/qt/aqt/sound.py
+++ b/qt/aqt/sound.py
@@ -394,6 +394,7 @@ class SimpleMpvPlayer(SimpleProcessPlayer, VideoPlayer):
             "--keep-open=no",
             "--input-media-keys=no",
             "--autoload-files=no",
+            "--no-ytdl",
         ]
     )