diff --git a/CHANGELOG.md b/CHANGELOG.md index a42db06..d9bb569 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,21 +6,24 @@ | Windows | MacOS | Linux | | :--- | :--- | :--- | -| **MSI (Recommended): [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Windows-x64.msi)**| **[Universal DMG](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-macOS.dmg)** | **AppImage:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.AppImage) | -| | **[Universal ZIP](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-macOS.zip)** | **DEB:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-amd64.deb) | -| | | **RPM:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.rpm) | -| | | **Flatpak:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.flatpak) | -| | | **TAR (Generic Linux):** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.tar.gz) | +| **MSI (Recommended): [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Windows-x64.msi)**| **[Universal DMG](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-macOS.dmg)** | **AppImage:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.AppImage) | +| | **[Universal ZIP](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-macOS.zip)** | **DEB:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-amd64.deb) | +| | | **RPM:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.rpm) | +| | | **Flatpak:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.flatpak) | +| | | **TAR (Generic Linux):** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.tar.gz) | > [!IMPORTANT] The `.asc` files are my normal GPG signatures which you can verify using my GPG Public Key: https://tuxedo.rosie.run/GPG/BurntToasters_0xF2FBC20F_public.asc. ⚠️ Arm64 Linux and Windows Binaries are *NOT* available at the moment. Its something I may get around to in the future but its not a priority. *This app is currently unstable. Bugs, issues, and rough edges are expected.* +## Changes in `v0.9.0-beta.3:` +* **Updater:** Addressed an issue where the security policies on URLs did not have the new github redirect cdn added. (Beta users on 0.9.0 Beta 1 and Beta 2 need to manually update; sorry! Good thing for betas amiright :P) + ## Changes in `v0.9.0-beta.2:` * **Linux:** Added AppImage and Flatpak support! Both are experimental until 0.9.0 is not in a beta. - * **AppImage:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.AppImage) — portable, no installation needed. - * **Flatpak:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.flatpak) — sandboxed package for app-store distributions (Flathub support planned). + * **AppImage:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.AppImage) — portable, no installation needed. + * **Flatpak:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.flatpak) — sandboxed package for app-store distributions (Flathub support planned). ## Changes in `v0.9.0-beta.1:` ### UI - Major UI Overhaul! diff --git a/flatpak/run.rosie.dacx.yaml b/flatpak/run.rosie.dacx.yaml index c2903ee..d40f5fd 100644 --- a/flatpak/run.rosie.dacx.yaml +++ b/flatpak/run.rosie.dacx.yaml @@ -1,4 +1,4 @@ -# x-version: 0.9.0-beta.2 +# x-version: 0.9.0-beta.3 app-id: run.rosie.dacx runtime: org.freedesktop.Platform runtime-version: "25.08" diff --git a/lib/services/self_update_service.dart b/lib/services/self_update_service.dart index 3efe132..dcd9db9 100644 --- a/lib/services/self_update_service.dart +++ b/lib/services/self_update_service.dart @@ -192,7 +192,14 @@ class SelfUpdateService { static bool isAllowedDownloadUrl(String url) { final uri = Uri.tryParse(url); if (uri == null || uri.scheme != 'https' || uri.host.isEmpty) return false; - return _allowedHosts.contains(uri.host.toLowerCase()); + return _isAllowedHost(uri.host); + } + + static bool _isAllowedHost(String host) { + final h = host.toLowerCase(); + if (_allowedHosts.contains(h)) return true; + // GitHub serves release-asset downloads from rotating *.githubusercontent.com + return h == 'githubusercontent.com' || h.endsWith('.githubusercontent.com'); } static bool _isRedirectStatus(int statusCode) => diff --git a/lib/services/update_service.dart b/lib/services/update_service.dart index 3273bb8..98e1dea 100644 --- a/lib/services/update_service.dart +++ b/lib/services/update_service.dart @@ -370,7 +370,11 @@ class UpdateService { 'rosie.run', 'www.rosie.run', }; - return allowedHosts.contains(uri.host.toLowerCase()); + final host = uri.host.toLowerCase(); + if (allowedHosts.contains(host)) return true; + // GitHub serves release assets from rotating *.githubusercontent.com + return host == 'githubusercontent.com' || + host.endsWith('.githubusercontent.com'); } static List _numericParts(String version) { diff --git a/linux/packaging/control.template b/linux/packaging/control.template index 4c764b3..cc4b15a 100644 --- a/linux/packaging/control.template +++ b/linux/packaging/control.template @@ -1,5 +1,5 @@ Package: dacx -Version: 0.9.0~beta.2 +Version: 0.9.0~beta.3 Section: sound Priority: optional Architecture: amd64 diff --git a/package-lock.json b/package-lock.json index 4b24f35..2217373 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "dacx", - "version": "0.9.0-beta.2", + "version": "0.9.0-beta.3", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "dacx", - "version": "0.9.0-beta.2", + "version": "0.9.0-beta.3", "license": "GPL-3.0-only", "devDependencies": { "cross-spawn": "^7.0.6", diff --git a/package.json b/package.json index f505ee8..47a5fe0 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "dacx", - "version": "0.9.0-beta.2", + "version": "0.9.0-beta.3", "private": true, "description": "Fast, lightweight cross-platform music and video player for Windows, macOS, and Linux.", "license": "GPL-3.0-only", diff --git a/pubspec.yaml b/pubspec.yaml index 0fa586e..e525f24 100644 --- a/pubspec.yaml +++ b/pubspec.yaml @@ -1,7 +1,7 @@ name: dacx description: "Quick, lightweight cross-platform media player." publish_to: 'none' -version: 0.9.0-beta.2+900 +version: 0.9.0-beta.3+900 environment: sdk: ^3.10.7 diff --git a/run.rosie.dacx.metainfo.xml b/run.rosie.dacx.metainfo.xml index b2a18d3..0980ffe 100644 --- a/run.rosie.dacx.metainfo.xml +++ b/run.rosie.dacx.metainfo.xml @@ -76,6 +76,7 @@ video/x-flv + diff --git a/test/services/self_update_orchestration_test.dart b/test/services/self_update_orchestration_test.dart index 8b355b1..7a0bd5c 100644 --- a/test/services/self_update_orchestration_test.dart +++ b/test/services/self_update_orchestration_test.dart @@ -24,6 +24,16 @@ void main() { ); }); + test('allows current GitHub release-assets CDN host', () { + // GitHub now redirects release-asset downloads to this host. + expect( + SelfUpdateService.isAllowedDownloadUrl( + 'https://release-assets.githubusercontent.com/github-production-release-asset/123/abc?sig=x', + ), + isTrue, + ); + }); + test('rejects non-HTTPS and unknown hosts', () { expect( SelfUpdateService.isAllowedDownloadUrl('http://github.com/x'), @@ -35,6 +45,22 @@ void main() { ); expect(SelfUpdateService.isAllowedDownloadUrl('not-a-url'), isFalse); }); + + test('rejects look-alike hosts that only suffix-spoof githubusercontent', () { + // Must not match a domain that merely ends with the string without the dot. + expect( + SelfUpdateService.isAllowedDownloadUrl( + 'https://evilgithubusercontent.com/github-production-release-asset/x', + ), + isFalse, + ); + expect( + SelfUpdateService.isAllowedDownloadUrl( + 'https://githubusercontent.com.evil.example/x', + ), + isFalse, + ); + }); }); group('SelfUpdateService.hashFromWindowsManifest', () {