Add a security note to reduce the chance of a regression

2026-01-13 14:03:55 -05:00 · 2025-06-04 18:01:32 +07:00 · 2025-06-04 18:01:32 +07:00 · d930f51a8f
commit d930f51a8f
parent ba25b11e50
1 changed files with 3 additions and 0 deletions
--- a/pylib/anki/sound.py
+++ b/pylib/anki/sound.py
@ -38,6 +38,9 @@ class SoundOrVideoTag:

    Video files also use [sound:...].

+    SECURITY: We should only ever construct this with basename(filename),
+    as passing arbitrary paths to mpv from a shared deck is a security issue.
+
    Anki add-ons can supply an absolute file path to play any file on disk
    using the built-in media player.
    """