From 5c7eb723b31cc51610dd4be97a769b7c0f99aed3 Mon Sep 17 00:00:00 2001
From: Ren Tatsumoto <tatsu@autistici.org>
Date: Wed, 4 Jun 2025 11:11:37 +0000
Subject: [PATCH] Restore ability for add-ons to provide full paths to media
 (#4054)

* fix #4053

* check if file exist

AJT Japanese needs to play files stored in all possible locations on disk

* check absolute path

* add comment

* check if passed name is basename

* Add a security note to reduce the chance of a regression

* Tweak comment in the non-add-on case

(cherry picked from commit 3ab8c2294de5d0bf7b46484f450cae914a16dca3)
---
 pylib/anki/sound.py | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/pylib/anki/sound.py b/pylib/anki/sound.py
index 4696fa72a..3af584dae 100644
--- a/pylib/anki/sound.py
+++ b/pylib/anki/sound.py
@@ -38,16 +38,29 @@ class SoundOrVideoTag:
     """Contains the filename inside a [sound:...] tag.
 
     Video files also use [sound:...].
+
+    SECURITY: We should only ever construct this with basename(filename),
+    as passing arbitrary paths to mpv from a shared deck is a security issue.
+
+    Anki add-ons can supply an absolute file path to play any file on disk
+    using the built-in media player.
     """
 
     filename: str
 
     def path(self, media_folder: str) -> str:
         "Prepend the media folder to the filename."
-        # Ensure filename doesn't reference parent folder
-        filename = os.path.basename(self.filename)
-        filename = hooks.media_file_filter(filename)
-        return os.path.join(media_folder, filename)
+        if os.path.basename(self.filename) == self.filename:
+            # Path in the current collection's media folder.
+            # Turn it into a fully-qualified path so mpv can find it, and to
+            # ensure the filename doesn't get treated like a non-file scheme.
+            head, tail = media_folder, self.filename
+        else:
+            # Add-ons can use absolute paths to play arbitrary files on disk.
+            # Example: sound.av_player.play_tags([SoundOrVideoTag("/path/to/file")])
+            head, tail = os.path.split(os.path.abspath(self.filename))
+        tail = hooks.media_file_filter(tail)
+        return os.path.join(head, tail)
 
 
 # note this does not include image tags, which are handled with HTML.