artem/yt-dlp
1
0
Fork 0
mirror of https://github.com/yt-dlp/yt-dlp.git synced 2026-06-12 13:54:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove url, desktop and webloc from safe extensions

Browse Source 
See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-c6mh-fpjc-4pr3

Authored by: Grub4K
This commit is contained in:
Simon Sawicki 2026-05-25 22:36:06 +02:00
parent 3ba1534fa3
commit e578e265f7
No known key found for this signature in database
2 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
yt_dlp/YoutubeDL.py
View File

@ -3395,7 +3395,9 @@ class YoutubeDL:
self.report_warning( self.report_warning(
f'Cannot write internet shortcut file because the actual URL of "{info_dict["webpage_url"]}" is unknown') f'Cannot write internet shortcut file because the actual URL of "{info_dict["webpage_url"]}" is unknown')
return True return True
linkfn = replace_extension(self.prepare_filename(info_dict, 'link'), link_type, info_dict.get('ext')) linkfn = replace_extension(
self.prepare_filename(info_dict, 'link'), link_type,
info_dict.get('ext'), _allowed_exts=tuple(LINK_TEMPLATES))
if not self._ensure_dir_exists(linkfn): if not self._ensure_dir_exists(linkfn):
return False return False
if self.params.get('overwrites', True) and os.path.exists(linkfn): if self.params.get('overwrites', True) and os.path.exists(linkfn):

14
yt_dlp/utils/_utils.py
View File

@ -2139,16 +2139,16 @@ def parse_duration(s):
(days, 86400), (hours, 3600), (mins, 60), (secs, 1), (ms, 1))) (days, 86400), (hours, 3600), (mins, 60), (secs, 1), (ms, 1)))
def _change_extension(prepend, filename, ext, expected_real_ext=None): def _change_extension(prepend, filename, ext, expected_real_ext=None, *, _allowed_exts=()):
name, real_ext = os.path.splitext(filename) name, real_ext = os.path.splitext(filename)
if not expected_real_ext or real_ext[1:] == expected_real_ext: if not expected_real_ext or real_ext[1:] == expected_real_ext:
filename = name filename = name
if prepend and real_ext: if prepend and real_ext:
_UnsafeExtensionError.sanitize_extension(ext, prepend=True) _UnsafeExtensionError.sanitize_extension(ext, prepend=True, _allowed_exts=_allowed_exts)
return f'{filename}.{ext}{real_ext}' return f'{filename}.{ext}{real_ext}'
return f'{filename}.{_UnsafeExtensionError.sanitize_extension(ext)}' return f'{filename}.{_UnsafeExtensionError.sanitize_extension(ext, _allowed_exts=_allowed_exts)}'
prepend_extension = functools.partial(_change_extension, True) prepend_extension = functools.partial(_change_extension, True)
@ -5211,12 +5211,9 @@ class _UnsafeExtensionError(Exception):
# others # others
*MEDIA_EXTENSIONS.manifests, *MEDIA_EXTENSIONS.manifests,
*MEDIA_EXTENSIONS.storyboards, *MEDIA_EXTENSIONS.storyboards,
'desktop',
'ism', 'ism',
'm3u', 'm3u',
'sbv', 'sbv',
'url',
'webloc',
]) ])
def __init__(self, extension, /): def __init__(self, extension, /):
@ -5224,7 +5221,7 @@ class _UnsafeExtensionError(Exception):
self.extension = extension self.extension = extension
@classmethod @classmethod
def sanitize_extension(cls, extension, /, *, prepend=False): def sanitize_extension(cls, extension, /, *, prepend=False, _allowed_exts=()):
if extension is None: if extension is None:
return None return None
@ -5235,7 +5232,8 @@ class _UnsafeExtensionError(Exception):
_, _, last = extension.rpartition('.') _, _, last = extension.rpartition('.')
if last == 'bin': if last == 'bin':
extension = last = 'unknown_video' extension = last = 'unknown_video'
if last.lower() not in cls.ALLOWED_EXTENSIONS: allowed = _allowed_exts or cls.ALLOWED_EXTENSIONS
if last.lower() not in allowed:
raise cls(extension) raise cls(extension)
return extension return extension