Restore ability for add-ons to provide full paths to media (#4054)

* fix #4053

* check if file exist

AJT Japanese needs to play files stored in all possible locations on disk

* check absolute path

* add comment

* check if passed name is basename

* Add a security note to reduce the chance of a regression

* Tweak comment in the non-add-on case

(cherry picked from commit 3ab8c2294d)

pylib/anki/sound.py

@@ -38,16 +38,29 @@ class SoundOrVideoTag:
     """Contains the filename inside a [sound:...] tag.
 
     Video files also use [sound:...].
+
+    SECURITY: We should only ever construct this with basename(filename),
+    as passing arbitrary paths to mpv from a shared deck is a security issue.
+
+    Anki add-ons can supply an absolute file path to play any file on disk
+    using the built-in media player.
     """
 
     filename: str
 
     def path(self, media_folder: str) -> str:
         "Prepend the media folder to the filename."
-        # Ensure filename doesn't reference parent folder
-        filename = os.path.basename(self.filename)
-        filename = hooks.media_file_filter(filename)
-        return os.path.join(media_folder, filename)
+        if os.path.basename(self.filename) == self.filename:
+            # Path in the current collection's media folder.
+            # Turn it into a fully-qualified path so mpv can find it, and to
+            # ensure the filename doesn't get treated like a non-file scheme.
+            head, tail = media_folder, self.filename
+        else:
+            # Add-ons can use absolute paths to play arbitrary files on disk.
+            # Example: sound.av_player.play_tags([SoundOrVideoTag("/path/to/file")])
+            head, tail = os.path.split(os.path.abspath(self.filename))
+        tail = hooks.media_file_filter(tail)
+        return os.path.join(head, tail)
 
 
 # note this does not include image tags, which are handled with HTML.