if you quit with Q instead of q (which is possible to do by accident, e.g., CAPS LOCK accidentally on), mpv stores its resume or "watch later" information in ~/.config/mpv/watch_later/ . by default for privacy (see the manpage documentation of the flag --write-filename-in-watch-later-config), the filename of the media being watched is not written; instead, the resume file filename is the MD5 hash of the full path (or just the filename if --ignore-path-in-watch-later-config). this hash is computed in mp_get_playback_resume_config_filename in player/configfiles.c .
although MD5 cannot generally be inverted, it can be if the attacker need only check a small universe of possibilities, so this feature is a privacy risk. check every filename on the filesystem, every file suspected of having been on the filesystem, or every filename of illegal content.
one can disable "watch later" entirely with --no-config, but this disables all configuration. best would be a way to generally disable it, only enabling it if explicitly invoked for a certain video in the command line or UI. (capital Q is arguably an implementation of exactly this: improve it with an "are you sure?" dialog.)
another idea is to use a much smaller hash, say, 16 bits (configurable), which permits plausible deniability. of course, each collision, now more frequent, will lose information about one of the colliding files.
or, create a wrapper around mpv which always copies the file to a random name, then calls mpv on it.
No comments:
Post a Comment