Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Protocol whitelist in ytdl_hook #5456
An attacker convinces has the victim play an HTTP(S) URL.
The URL gets processed by the ytdl_hook script.
youtube-dl attempts to extract videos from the URL by contacting the HTTP server, which
As youtube-dl does not perform any validation on the extracted URLs for
Note that there are likely many ways in which youtube-dl can return "bad" URLs.
The hook script then passes the extracted URL to mpv, which does not apply the usual safe-protocol only checks.
As shown in the example above, this URL can be, for instance, used to dlopen() arbitrary files on the filesystem using the ffmpeg lavfi ladspa plugin.