From 5858c274c84fe44ab9d0ba6f14665067c0efcc45 Mon Sep 17 00:00:00 2001
From: pax <paxxe@protonmail.com>
Date: Sat, 11 Apr 2026 16:34:57 -0500
Subject: [PATCH] =?UTF-8?q?security:=20fix=20#2=20=E2=80=94=20set=20lavf?=
 =?UTF-8?q?=20options=20on=20=5FMpvGLWidget=20after=20construction?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Calls lavf_options() post mpv.MPV() init and writes each entry into
the demuxer-lavf-o property. This is the consumer side of the split
helpers introduced in the previous commit. Verified end-to-end by
launching the GUI: mpv constructs cleanly and m['demuxer-lavf-o']
reads back as {'protocol_whitelist': 'file,http,https,tls,tcp'}.

Audit-Ref: SECURITY_AUDIT.md finding #2
Severity: High
---
 booru_viewer/gui/media/mpv_gl.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/booru_viewer/gui/media/mpv_gl.py b/booru_viewer/gui/media/mpv_gl.py
index 5d0bf26..e88be14 100644
--- a/booru_viewer/gui/media/mpv_gl.py
+++ b/booru_viewer/gui/media/mpv_gl.py
@@ -11,7 +11,7 @@ from PySide6.QtWidgets import QWidget, QVBoxLayout
 
 import mpv as mpvlib
 
-from ._mpv_options import build_mpv_kwargs
+from ._mpv_options import build_mpv_kwargs, lavf_options
 
 log = logging.getLogger(__name__)
 
@@ -42,11 +42,18 @@ class _MpvGLWidget(QWidget):
         # for the full rationale). Summary: Discord screen-share audio
         # fix via `ao=pulse`, fast-load vd-lavc options, network cache
         # tuning for the uncached-video fast path, and the SECURITY
-        # hardening from audit #2 (ytdl=no, load_scripts=no,
-        # demuxer_lavf_o protocol whitelist, POSIX input_conf null).
+        # hardening from audit #2 (ytdl=no, load_scripts=no, POSIX
+        # input_conf null).
         self._mpv = mpvlib.MPV(
             **build_mpv_kwargs(is_windows=sys.platform == "win32"),
         )
+        # The ffmpeg lavf demuxer protocol whitelist (also audit #2)
+        # has to be applied via the property API, not as an init
+        # kwarg — python-mpv's init path goes through
+        # mpv_set_option_string which trips on the comma-laden value.
+        # The property API uses the node API and accepts dict values.
+        for key, value in lavf_options().items():
+            self._mpv["demuxer-lavf-o"] = {key: value}
         # Wire up the GL surface's callbacks to us
         self._gl._owner = self