* Treat play_file() and co as internal routines without protection
Our code and add-ons need a way to play audio from arbitrary locations. I propose we treat the _tag API as suitable for user input, and the _file API for internal use.
* Mention basename in the *_file() paths
(cherry picked from commit 50b7588231)
* fix#4053
* check if file exist
AJT Japanese needs to play files stored in all possible locations on disk
* check absolute path
* add comment
* check if passed name is basename
* Add a security note to reduce the chance of a regression
* Tweak comment in the non-add-on case
(cherry picked from commit 3ab8c2294d)
We were (partially) doing this for MpvManager, but not for
Windows' SimpleMpvPlayer. By passing a media file starting
with a special scheme, a malicious actor could have caused a file to
be written to the filesystem on Windows.
Thanks once again to Michael Lappas for the report.
(cherry picked from commit 96ff27d1fb)
mpv looks for ytdl on the path, which includes the CWD on Windows.
A malicious shared deck could place an executable called yt-dlp.exe in the
media folder, which mpv would then helpfully invoke the first time
a YouTube link was encountered.
A big thank you to Michael Lappas for the report.
(cherry picked from commit 5080451829)
(originally merged into a PR branch)
* Make URL schemes dialog more ergonomic
* add name to contributors list
* Title Case
* Tweak build instructions so Cursor picks them up
* Use a warning icon for the URL scheme pop-up
* Default to cancelling
(cherry picked from commit f96c8c2ac8)
venv as things like black depended on it. When running in a packaged
build, it wasn't being included, and Anki was failing to start.
I've added it to the anki module instead of aqt, even though only
the latter is currently using it, so that we don't accidentally introduce
the same bug in the future when using typing_extensions from within
libanki.
(cherry picked from commit 72abb7ec5b)
* Revert "Sanitize field content in editor"
This reverts commit 1c156905f8.
* Use CSP to block inline JS content in editor
This blocks inline scripts, scripts in the media folder, and
handlers like onclick in the editor. This is nicer than the previous
solution - it doesn't make any permanent changes, and leaves other
content like SVGs alone. Thanks to Nil Admirari for the suggestion.
(cherry picked from commit ddb8573e8d)
* add AnkiWebView subclasses for stats, empty cards and find dupes ui
* update ui files to use subclassed webviews instead
* remove superfluous calls to AnkiWebView.set_kind
* Avoid set_kind() race condition in legacy stats webview
Replacing the web view is a hacky workaround, but likely a reasonable compromise for a legacy view that we do not want to maintain a separate Qt form for.
* Slightly refactor AnkiWebView subclass creation and tweak inline comment
+ Extend create_ankiwebview_subclass() with the ability to set any
init time AnkiWebView argument
+ Introduce some nice-to-haves in terms of static type checking support
and IDE autocompletion
+ Mark helper function as private to discourage add-on use
* Drop `AnkiWebView.set_kind` completely
There no longer is an Anki-internal use case for changing the web view kind after initializing a web view, and add-ons almost certainly do not have any use for it either.
Given that setting the kind after web view construction can lead to known race conditions with `domDone` signals, we should remove this method to discourage uses like this in both Anki code and add-on consumers.
There currenty only seems to be one add-on calling `set_kind()`, so this seem like a justifiable API change.
---------
Co-authored-by: llama <100429699+iamllama@users.noreply.github.com>
(cherry picked from commit 5b0f371791)
* add AnkiWebView subclasses for stats, empty cards and find dupes ui
* update ui files to use subclassed webviews instead
* remove superfluous calls to AnkiWebView.set_kind
* revert impl
* set page background colour after setPage in AnkiWebView.set_kind
(cherry picked from commit a74fd74631)
Currently we only check the size on a one-way sync, allowing users
to bypass the limits by incrementally syncing a lot of material.
To prevent this:
- The server now checks if the collection is already oversize,
and forces a one-way sync if it is
- The client checks if the local collection is oversize and refuses
to proceed, so they don't waste time uploading material that will
likely trigger the limit the next time they sync.
(cherry picked from commit 9b5da546be)
Make sure to run tools/install-n2 after updating to this commit.
n2 have merged in some changes we were previously hosting in a fork,
but the parsing of the flags was altered.
(cherry picked from commit 8e13e6bfc1)
Some add-ons fully override AnkiWebPage.__init__ and thus depend on _setupBridge injecting the JS bridge script.
With this change we account for these cases, while giving add-ons the opportunity to look for solutions that do not require overriding AnkiWebPage.__init__ completely.
(cherry picked from commit 2a97b135ee)
We were previously inspecting the referrer, but that is spoofable,
and doesn't guard against other processes on the machine.
To accomplish this, we use a request interceptor to automatically
add an auth token to webviews with the right context. Some related
changes were required:
- We avoid storing _page, which was leading to leaks & warning on exit
- At webview creation (or set_kind() invocation), we assign either
an authenticated or unauthenticated web profile.
- Some of our screens initialize the AnkiWebView when calling, e.g.,
aqt.forms.stats.Ui_Dialog(). They then immediately call .set_kind().
This reveals a race condition in our DOM handling code: the webview
initialization creates an empty page with the injected script, which
causes a domDone signal to be sent back. This signal arrives after
we've created another page with .set_kind(), causing our code to think
the DOM is ready when it's not. Then when we try to inject the dynamic
styling, we get an error, as the DOM is not ready yet. In the absence
of better solutions, I've added a hack to set_kind() to deal with this
for now.
(cherry picked from commit 24bca15fd3)
The editor already strips script tags from fields, but was allowing
through Javascript in things like onclick handlers. We block this now,
as the editor context has access to internal APIs that we don't want to
expose to untrusted third-party code.
(cherry picked from commit 1c156905f8)
The previous commit added word-wrap, but it was not working after I'd
removed some other tweaks I'd made in testing, that I thought were not
required. I ended up switching to standard table columns and a fixed
layout, so that both the column and row headers will wrap properly.
