From 19c1afb4e557998f01bbed4e574f5082b5338834 Mon Sep 17 00:00:00 2001
From: Paul Fulham <paul.fulham0@gmail.com>
Date: Sat, 7 Mar 2026 00:02:29 -0800
Subject: [PATCH 1/4] fix: use exact base URL matching for whitelist check

---
 src/main/java/com/vinurl/net/ClientEvent.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/com/vinurl/net/ClientEvent.java b/src/main/java/com/vinurl/net/ClientEvent.java
index 2c1d4c8..54261e7 100644
--- a/src/main/java/com/vinurl/net/ClientEvent.java
+++ b/src/main/java/com/vinurl/net/ClientEvent.java
@@ -43,7 +43,7 @@ public static void register() {
 			if (CONFIG.downloadEnabled()) {
 				String baseURL = URI.create(url).getScheme() + "://" + URI.create(url).getHost();
 
-				if (CONFIG.urlWhitelist().stream().anyMatch(url::startsWith)) {
+				if (CONFIG.urlWhitelist().contains(baseURL)) {
 					SoundManager.downloadSound(url, fileName);
 					SoundManager.queueSound(fileName, pos);
 					return;

From 2e850de02525a8425090296811f589e40769959a Mon Sep 17 00:00:00 2001
From: Paul Fulham <paul.fulham0@gmail.com>
Date: Sat, 7 Mar 2026 00:55:05 -0800
Subject: [PATCH 2/4] fix: reject URLs with missing host

---
 src/main/java/com/vinurl/net/ClientEvent.java | 17 +++++++++++++++--
 src/main/java/com/vinurl/net/ServerEvent.java |  6 +++++-
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/src/main/java/com/vinurl/net/ClientEvent.java b/src/main/java/com/vinurl/net/ClientEvent.java
index 54261e7..d34375d 100644
--- a/src/main/java/com/vinurl/net/ClientEvent.java
+++ b/src/main/java/com/vinurl/net/ClientEvent.java
@@ -24,10 +24,23 @@ public static void register() {
 			BlockPos pos = message.pos();
 			String url = message.url();
 			boolean loop = message.loop();
-			String fileName = SoundManager.getFileName(url);
 
 			if (client.player == null || url.isEmpty()) {return;}
 
+			URI uri;
+
+			try {
+				uri = new URI(url);
+			} catch (Exception ignored) {
+				return;
+			}
+
+			String scheme = uri.getScheme();
+			String host = uri.getHost();
+			if (scheme == null || host == null) {return;}
+
+			String fileName = SoundManager.getFileName(url);
+
 			SoundManager.addSound(fileName, pos, loop);
 
 			if (Executable.YT_DLP.isProcessRunning(fileName + "/download")) {
@@ -41,7 +54,7 @@ public static void register() {
 			}
 
 			if (CONFIG.downloadEnabled()) {
-				String baseURL = URI.create(url).getScheme() + "://" + URI.create(url).getHost();
+				String baseURL = scheme + "://" + host;
 
 				if (CONFIG.urlWhitelist().contains(baseURL)) {
 					SoundManager.downloadSound(url, fileName);
diff --git a/src/main/java/com/vinurl/net/ServerEvent.java b/src/main/java/com/vinurl/net/ServerEvent.java
index 22cb7ef..e07809e 100644
--- a/src/main/java/com/vinurl/net/ServerEvent.java
+++ b/src/main/java/com/vinurl/net/ServerEvent.java
@@ -42,7 +42,11 @@ public static void register() {
 			String url;
 
 			try {
-				url = new URI(message.url()).toURL().toString();
+				URI uri = new URI(message.url());
+				if (uri.getHost() == null) {
+					throw new IllegalArgumentException("Missing host");
+				}
+				url = uri.toURL().toString();
 			} catch (Exception e) {
 				player.displayClientMessage(Component.translatable("message.vinurl.custom_record.url.invalid"), true);
 				return;

From 0010249ebd181410d0a9d5199f1acd67ab03580d Mon Sep 17 00:00:00 2001
From: Paul Fulham <paul.fulham0@gmail.com>
Date: Sat, 7 Mar 2026 01:01:03 -0800
Subject: [PATCH 3/4] fix: clamp duration to prevent arbitrary values

---
 src/main/java/com/vinurl/net/ServerEvent.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/main/java/com/vinurl/net/ServerEvent.java b/src/main/java/com/vinurl/net/ServerEvent.java
index e07809e..738e50d 100644
--- a/src/main/java/com/vinurl/net/ServerEvent.java
+++ b/src/main/java/com/vinurl/net/ServerEvent.java
@@ -19,6 +19,8 @@
 
 public class ServerEvent {
 	public static final int MAX_URL_LENGTH = 400;
+	public static final int MIN_DURATION = 0;
+	public static final int MAX_DURATION = 3600;
 
 	public static void register() {
 		NETWORK_CHANNEL.registerClientboundDeferred(ClientEvent.GUIRecord.class);
@@ -59,7 +61,7 @@ public static void register() {
 
 			CompoundTag tag = new CompoundTag();
 			tag.put(URL_KEY, url);
-			tag.put(DURATION_KEY, message.duration());
+			tag.put(DURATION_KEY, Math.clamp(message.duration(), MIN_DURATION, MAX_DURATION));
 			tag.put(LOOP_KEY, message.loop());
 			tag.put(LOCK_KEY, message.lock());
 			stack.set(DataComponents.CUSTOM_DATA, CustomData.of(tag));

From a7392df9fe0cb132920fb0b3941619f03587c1b6 Mon Sep 17 00:00:00 2001
From: Paul Fulham <paul.fulham0@gmail.com>
Date: Sat, 7 Mar 2026 01:07:58 -0800
Subject: [PATCH 4/4] fix: prevent locked disc modification bypass

---
 src/main/java/com/vinurl/net/ServerEvent.java | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/main/java/com/vinurl/net/ServerEvent.java b/src/main/java/com/vinurl/net/ServerEvent.java
index 738e50d..64c8374 100644
--- a/src/main/java/com/vinurl/net/ServerEvent.java
+++ b/src/main/java/com/vinurl/net/ServerEvent.java
@@ -41,6 +41,12 @@ public static void register() {
 				return;
 			}
 
+			CompoundTag existingTag = stack.getOrDefault(DataComponents.CUSTOM_DATA, CustomData.EMPTY).copyTag();
+			if (existingTag.get(LOCK_KEY)) {
+				player.displayClientMessage(Component.translatable("item.vinurl.custom_record.message.locked"), true);
+				return;
+			}
+
 			String url;
 
 			try {