Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 10 additions & 7 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,21 +6,24 @@

| <img height="20" src="https://github.com/user-attachments/assets/340d360e-79b1-4c70-bfab-d944085f75df" /> Windows | <img height="20" src="https://github.com/user-attachments/assets/42d7e887-4616-4e8c-b1d3-e44e01340f8c" /> MacOS | <img height="20" src="https://github.com/user-attachments/assets/e0cc4f33-4516-408b-9c5c-be71a3ac316b" /> Linux |
| :--- | :--- | :--- |
| **MSI (Recommended): [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Windows-x64.msi)**<!-- / [arm64](https://github.com/BurntToasters/S3-Sidekick/releases/download/v0.9.1/S3-Sidekick-Windows-arm64.msi)** -->| **[Universal DMG](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-macOS.dmg)** | **AppImage:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.AppImage) |
| <!-- <div align="center"><a href="https://apps.microsoft.com/detail/9pkgd6lkcl5j?referrer=appbadge&mode=full"><img src="https://get.microsoft.com/images/en-us%20light.svg" width="150"/></a></div>--> | **[Universal ZIP](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-macOS.zip)** | **DEB:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-amd64.deb) <!--/ [arm64](https://github.com/BurntToasters/IYERIS/releases/download/v1.0.4/IYERIS-Linux-arm64.deb)--> |
| <!--*See MSI note below*--> | | **RPM:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.rpm) <!--/ [arm64](https://github.com/BurntToasters/IYERIS/releases/download/v1.0.4/IYERIS-Linux-aarch64.rpm)--> |
| | | **Flatpak:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.flatpak) |
| | | **TAR (Generic Linux):** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.tar.gz) <!--/ [arm64](https://github.com/BurntToasters/IYERIS/releases/download/v1.0.4/IYERIS-Linux-aarch64.flatpak)--> |
| **MSI (Recommended): [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Windows-x64.msi)**<!-- / [arm64](https://github.com/BurntToasters/S3-Sidekick/releases/download/v0.9.1/S3-Sidekick-Windows-arm64.msi)** -->| **[Universal DMG](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-macOS.dmg)** | **AppImage:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.AppImage) |
| <!-- <div align="center"><a href="https://apps.microsoft.com/detail/9pkgd6lkcl5j?referrer=appbadge&mode=full"><img src="https://get.microsoft.com/images/en-us%20light.svg" width="150"/></a></div>--> | **[Universal ZIP](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-macOS.zip)** | **DEB:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-amd64.deb) <!--/ [arm64](https://github.com/BurntToasters/IYERIS/releases/download/v1.0.4/IYERIS-Linux-arm64.deb)--> |
| <!--*See MSI note below*--> | | **RPM:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.rpm) <!--/ [arm64](https://github.com/BurntToasters/IYERIS/releases/download/v1.0.4/IYERIS-Linux-aarch64.rpm)--> |
| | | **Flatpak:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.flatpak) |
| | | **TAR (Generic Linux):** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.tar.gz) <!--/ [arm64](https://github.com/BurntToasters/IYERIS/releases/download/v1.0.4/IYERIS-Linux-aarch64.flatpak)--> |

> [!IMPORTANT]
The `.asc` files are my normal GPG signatures which you can verify using my GPG Public Key: https://tuxedo.rosie.run/GPG/BurntToasters_0xF2FBC20F_public.asc.
⚠️ Arm64 Linux and Windows Binaries are *NOT* available at the moment. Its something I may get around to in the future but its not a priority.
*This app is currently unstable. Bugs, issues, and rough edges are expected.*

## Changes in `v0.9.0-beta.3:`
* **Updater:** Addressed an issue where the security policies on URLs did not have the new github redirect cdn added. (Beta users on 0.9.0 Beta 1 and Beta 2 need to manually update; sorry! Good thing for betas amiright :P)

## Changes in `v0.9.0-beta.2:`
* **Linux:** Added AppImage and Flatpak support! Both are experimental until 0.9.0 is not in a beta.
* **AppImage:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.AppImage) — portable, no installation needed.
* **Flatpak:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.2/Dacx-Linux-x86_64.flatpak) — sandboxed package for app-store distributions (Flathub support planned).
* **AppImage:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.AppImage) — portable, no installation needed.
* **Flatpak:** [x64](https://github.com/BurntToasters/Dacx/releases/download/v0.9.0-beta.3/Dacx-Linux-x86_64.flatpak) — sandboxed package for app-store distributions (Flathub support planned).

## Changes in `v0.9.0-beta.1:`
### UI - Major UI Overhaul!
Expand Down
2 changes: 1 addition & 1 deletion flatpak/run.rosie.dacx.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# x-version: 0.9.0-beta.2
# x-version: 0.9.0-beta.3
app-id: run.rosie.dacx
runtime: org.freedesktop.Platform
runtime-version: "25.08"
Expand Down
9 changes: 8 additions & 1 deletion lib/services/self_update_service.dart
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,14 @@ class SelfUpdateService {
static bool isAllowedDownloadUrl(String url) {
final uri = Uri.tryParse(url);
if (uri == null || uri.scheme != 'https' || uri.host.isEmpty) return false;
return _allowedHosts.contains(uri.host.toLowerCase());
return _isAllowedHost(uri.host);
}

static bool _isAllowedHost(String host) {
final h = host.toLowerCase();
if (_allowedHosts.contains(h)) return true;
// GitHub serves release-asset downloads from rotating *.githubusercontent.com
return h == 'githubusercontent.com' || h.endsWith('.githubusercontent.com');
}

static bool _isRedirectStatus(int statusCode) =>
Expand Down
6 changes: 5 additions & 1 deletion lib/services/update_service.dart
Original file line number Diff line number Diff line change
Expand Up @@ -370,7 +370,11 @@ class UpdateService {
'rosie.run',
'www.rosie.run',
};
return allowedHosts.contains(uri.host.toLowerCase());
final host = uri.host.toLowerCase();
if (allowedHosts.contains(host)) return true;
// GitHub serves release assets from rotating *.githubusercontent.com
return host == 'githubusercontent.com' ||
host.endsWith('.githubusercontent.com');
}

static List<int> _numericParts(String version) {
Expand Down
2 changes: 1 addition & 1 deletion linux/packaging/control.template
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
Package: dacx
Version: 0.9.0~beta.2
Version: 0.9.0~beta.3
Section: sound
Priority: optional
Architecture: amd64
Expand Down
4 changes: 2 additions & 2 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "dacx",
"version": "0.9.0-beta.2",
"version": "0.9.0-beta.3",
"private": true,
"description": "Fast, lightweight cross-platform music and video player for Windows, macOS, and Linux.",
"license": "GPL-3.0-only",
Expand Down
2 changes: 1 addition & 1 deletion pubspec.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: dacx
description: "Quick, lightweight cross-platform media player."
publish_to: 'none'
version: 0.9.0-beta.2+900
version: 0.9.0-beta.3+900

environment:
sdk: ^3.10.7
Expand Down
1 change: 1 addition & 0 deletions run.rosie.dacx.metainfo.xml
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@
<mediatype>video/x-flv</mediatype>
</provides>
<releases>
<release version="0.9.0-beta.3" date="2026-06-23"/>
<release version="0.9.0-beta.2" date="2026-06-23"/>
<release version="0.9.0-beta.1" date="2026-06-23"/>
<release version="0.8.1" date="2026-06-13"/>
Expand Down
26 changes: 26 additions & 0 deletions test/services/self_update_orchestration_test.dart
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,16 @@ void main() {
);
});

test('allows current GitHub release-assets CDN host', () {
// GitHub now redirects release-asset downloads to this host.
expect(
SelfUpdateService.isAllowedDownloadUrl(
'https://release-assets.githubusercontent.com/github-production-release-asset/123/abc?sig=x',
),
isTrue,
);
});

test('rejects non-HTTPS and unknown hosts', () {
expect(
SelfUpdateService.isAllowedDownloadUrl('http://github.com/x'),
Expand All @@ -35,6 +45,22 @@ void main() {
);
expect(SelfUpdateService.isAllowedDownloadUrl('not-a-url'), isFalse);
});

test('rejects look-alike hosts that only suffix-spoof githubusercontent', () {
// Must not match a domain that merely ends with the string without the dot.
expect(
SelfUpdateService.isAllowedDownloadUrl(
'https://evilgithubusercontent.com/github-production-release-asset/x',
),
isFalse,
);
expect(
SelfUpdateService.isAllowedDownloadUrl(
'https://githubusercontent.com.evil.example/x',
),
isFalse,
);
});
});

group('SelfUpdateService.hashFromWindowsManifest', () {
Expand Down
Loading