diff --git a/CHANGELOG.md b/CHANGELOG.md
index a42db06..d9bb569 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,21 +6,24 @@
|
Windows |
MacOS |
Linux |
| :--- | :--- | :--- |
-| **MSI (Recommended): [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Windows-x64.msi)**| **[Universal DMG](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-macOS.dmg)** | **AppImage:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.AppImage) |
-| | **[Universal ZIP](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-macOS.zip)** | **DEB:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-amd64.deb) |
-| | | **RPM:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.rpm) |
-| | | **Flatpak:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.flatpak) |
-| | | **TAR (Generic Linux):** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.tar.gz) |
+| **MSI (Recommended): [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Windows-x64.msi)**| **[Universal DMG](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-macOS.dmg)** | **AppImage:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.AppImage) |
+| | **[Universal ZIP](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-macOS.zip)** | **DEB:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-amd64.deb) |
+| | | **RPM:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.rpm) |
+| | | **Flatpak:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.flatpak) |
+| | | **TAR (Generic Linux):** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.tar.gz) |
> [!IMPORTANT]
The `.asc` files are my normal GPG signatures which you can verify using my GPG Public Key: https://tuxedo.rosie.run/GPG/BurntToasters_0xF2FBC20F_public.asc.
⚠️ Arm64 Linux and Windows Binaries are *NOT* available at the moment. Its something I may get around to in the future but its not a priority.
*This app is currently unstable. Bugs, issues, and rough edges are expected.*
+## Changes in `v0.9.0-beta.3:`
+* **Updater:** Addressed an issue where the security policies on URLs did not have the new github redirect cdn added. (Beta users on 0.9.0 Beta 1 and Beta 2 need to manually update; sorry! Good thing for betas amiright :P)
+
## Changes in `v0.9.0-beta.2:`
* **Linux:** Added AppImage and Flatpak support! Both are experimental until 0.9.0 is not in a beta.
- * **AppImage:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.AppImage) — portable, no installation needed.
- * **Flatpak:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.flatpak) — sandboxed package for app-store distributions (Flathub support planned).
+ * **AppImage:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.AppImage) — portable, no installation needed.
+ * **Flatpak:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.flatpak) — sandboxed package for app-store distributions (Flathub support planned).
## Changes in `v0.9.0-beta.1:`
### UI - Major UI Overhaul!
diff --git a/flatpak/run.rosie.dacx.yaml b/flatpak/run.rosie.dacx.yaml
index c2903ee..d40f5fd 100644
--- a/flatpak/run.rosie.dacx.yaml
+++ b/flatpak/run.rosie.dacx.yaml
@@ -1,4 +1,4 @@
-# x-version: 0.9.0-beta.2
+# x-version: 0.9.0-beta.3
app-id: run.rosie.dacx
runtime: org.freedesktop.Platform
runtime-version: "25.08"
diff --git a/lib/services/self_update_service.dart b/lib/services/self_update_service.dart
index 3efe132..dcd9db9 100644
--- a/lib/services/self_update_service.dart
+++ b/lib/services/self_update_service.dart
@@ -192,7 +192,14 @@ class SelfUpdateService {
static bool isAllowedDownloadUrl(String url) {
final uri = Uri.tryParse(url);
if (uri == null || uri.scheme != 'https' || uri.host.isEmpty) return false;
- return _allowedHosts.contains(uri.host.toLowerCase());
+ return _isAllowedHost(uri.host);
+ }
+
+ static bool _isAllowedHost(String host) {
+ final h = host.toLowerCase();
+ if (_allowedHosts.contains(h)) return true;
+ // GitHub serves release-asset downloads from rotating *.githubusercontent.com
+ return h == 'githubusercontent.com' || h.endsWith('.githubusercontent.com');
}
static bool _isRedirectStatus(int statusCode) =>
diff --git a/lib/services/update_service.dart b/lib/services/update_service.dart
index 3273bb8..98e1dea 100644
--- a/lib/services/update_service.dart
+++ b/lib/services/update_service.dart
@@ -370,7 +370,11 @@ class UpdateService {
'rosie.run',
'www.rosie.run',
};
- return allowedHosts.contains(uri.host.toLowerCase());
+ final host = uri.host.toLowerCase();
+ if (allowedHosts.contains(host)) return true;
+ // GitHub serves release assets from rotating *.githubusercontent.com
+ return host == 'githubusercontent.com' ||
+ host.endsWith('.githubusercontent.com');
}
static List _numericParts(String version) {
diff --git a/linux/packaging/control.template b/linux/packaging/control.template
index 4c764b3..cc4b15a 100644
--- a/linux/packaging/control.template
+++ b/linux/packaging/control.template
@@ -1,5 +1,5 @@
Package: dacx
-Version: 0.9.0~beta.2
+Version: 0.9.0~beta.3
Section: sound
Priority: optional
Architecture: amd64
diff --git a/package-lock.json b/package-lock.json
index 4b24f35..2217373 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
{
"name": "dacx",
- "version": "0.9.0-beta.2",
+ "version": "0.9.0-beta.3",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "dacx",
- "version": "0.9.0-beta.2",
+ "version": "0.9.0-beta.3",
"license": "GPL-3.0-only",
"devDependencies": {
"cross-spawn": "^7.0.6",
diff --git a/package.json b/package.json
index f505ee8..47a5fe0 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "dacx",
- "version": "0.9.0-beta.2",
+ "version": "0.9.0-beta.3",
"private": true,
"description": "Fast, lightweight cross-platform music and video player for Windows, macOS, and Linux.",
"license": "GPL-3.0-only",
diff --git a/pubspec.yaml b/pubspec.yaml
index 0fa586e..e525f24 100644
--- a/pubspec.yaml
+++ b/pubspec.yaml
@@ -1,7 +1,7 @@
name: dacx
description: "Quick, lightweight cross-platform media player."
publish_to: 'none'
-version: 0.9.0-beta.2+900
+version: 0.9.0-beta.3+900
environment:
sdk: ^3.10.7
diff --git a/run.rosie.dacx.metainfo.xml b/run.rosie.dacx.metainfo.xml
index b2a18d3..0980ffe 100644
--- a/run.rosie.dacx.metainfo.xml
+++ b/run.rosie.dacx.metainfo.xml
@@ -76,6 +76,7 @@
video/x-flv
+
diff --git a/test/services/self_update_orchestration_test.dart b/test/services/self_update_orchestration_test.dart
index 8b355b1..7a0bd5c 100644
--- a/test/services/self_update_orchestration_test.dart
+++ b/test/services/self_update_orchestration_test.dart
@@ -24,6 +24,16 @@ void main() {
);
});
+ test('allows current GitHub release-assets CDN host', () {
+ // GitHub now redirects release-asset downloads to this host.
+ expect(
+ SelfUpdateService.isAllowedDownloadUrl(
+ 'https://release-assets.githubusercontent.com/github-production-release-asset/123/abc?sig=x',
+ ),
+ isTrue,
+ );
+ });
+
test('rejects non-HTTPS and unknown hosts', () {
expect(
SelfUpdateService.isAllowedDownloadUrl('http://github.com/x'),
@@ -35,6 +45,22 @@ void main() {
);
expect(SelfUpdateService.isAllowedDownloadUrl('not-a-url'), isFalse);
});
+
+ test('rejects look-alike hosts that only suffix-spoof githubusercontent', () {
+ // Must not match a domain that merely ends with the string without the dot.
+ expect(
+ SelfUpdateService.isAllowedDownloadUrl(
+ 'https://evilgithubusercontent.com/github-production-release-asset/x',
+ ),
+ isFalse,
+ );
+ expect(
+ SelfUpdateService.isAllowedDownloadUrl(
+ 'https://githubusercontent.com.evil.example/x',
+ ),
+ isFalse,
+ );
+ });
});
group('SelfUpdateService.hashFromWindowsManifest', () {