Update dependency yt-dlp to v2024 [SECURITY] - autoclosed #100
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==2023.7.6
->==2024.4.9
GitHub Vulnerability Alerts
CVE-2024-22423
Summary
The patch that addressed CVE-2023-40581 attempted to prevent RCE when using
--exec
with%q
by replacing double quotes with two double quotes.However, this escaping is not sufficient, and still allows expansion of environment variables.
Support for output template expansion in
--exec
, along with this vulnerable behavior, was added toyt-dlp
in version 2021.04.11.Patches
yt-dlp version 2024.04.09 fixes this issue by properly escaping
%
. It replaces them with%%cd:~,%
, a variable that expands to nothing, leaving only the leading percent.Workarounds
It is recommended to upgrade yt-dlp to version 2024.04.09 as soon as possible. Also, always be careful when using
--exec
, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous.For Windows users who are not able to upgrade:
--exec
other than{}
(filepath).--exec
is needed, verify the fields you are using do not contain%
,"
,|
or&
.--exec
, write the info json and load the fields from it instead.Details
When escaping variables, the following code is used for Windows.
yt_dlp/compat/__init__.py
line 31-33It replaces
"
with""
to balance out the quotes and keep quoting intact if non-allowed characters are included. However, the%CMDCMDLINE%
variable can be used to generate a quote using%CMDCMDLINE:~-1%
; since the value of%CMDCMDLINE%
is the commandline with whichcmd.exe
was called, and it is always called with the command surrounded by quotes,%CMDCMDLINE:~-1%
expands to"
. After the quotes have been unbalanced, special characters are no longer quoted and commands can be executed:References
Release Notes
yt-dlp/yt-dlp (yt-dlp)
v2024.4.9
Compare Source
v2024.3.10
Compare Source
v2023.12.30
Compare Source
Core changes
read_stdin
obey--quiet
by pukkandanrelease_year
fromrelease_date
(#8524) by seproDevNO_COLOR
environment variable (#8385) by Grub4K, prettykooltraverse_obj
: Moveis_user_input
into output template (#8673) by Grub4KExtractor changes
media_type
field by trainman261media
elements in SMIL manifests (#8504) by seproDevshow
page (#8601) by bashonly, JC-Chungconcurrent_view_count
(#8600) by sonmezberkaygetheader
(#8606) by qbnulike_count
extraction (#8763) by Ganesh910Postprocessor changes
Networking changes
Misc. changes
IE_NAME
(#8810) by barsnickrun_tests
: Create Python script (#8720) by Grub4K (With fixes in 225cf2b)README.md
by bashonlyv2023.11.16
Compare Source
Extractor changes
_VALID_URL
(#8576) by seproDev_VALID_URL
(#7692) by TravisDupesMisc. changes
secretstorage
an optional dependency (#8585) by bashonlyv2023.11.14
Compare Source
Important changes
master
builds are made after each push, containing the latest fixes (but also possibly bugs). This was previously thenightly
channel.nightly
builds are now made once a day, if there were any changes.http_headers
; extractors now only use specific headersCore changes
--compat-option manifest-filesize-approx
(#8356) by bashonly--load-info-json
(#8521) by bashonlyExtractor changes
http_headers
by coletdjnzxml.etree.ElementTree.Element
(#8582) by bashonly_VALID_URL
(#8368) by peci1POST
request to streams API endpoint (#8413) by bartbroere_VALID_URL
(#8426) by bashonly--wait-for-video
(#8475) by bashonlyDownloader changes
--file-allocation=none
(#8332) by CrendKing--live-from-start
(#8339) by bashonlyNetworking changes
Request Handler: requests: Add handler for
requests
HTTP library (#3668) by bashonly, coletdjnz, Grub4K (With fixes in 4e38e2a)Adds support for HTTPS proxies and persistent connections (keep-alive)
Misc. changes
actions/checkout
to v4 by bashonlyv2023.10.13
Compare Source
Core changes
js_to_json
: FixDate
constructor parsing (#8295) by awalgarg, Grub4Kwrite_xattr
: Useos.setxattr
if available (#8205) by bashonly, Grub4KExtractor changes
downloader_options
by bashonly--extractor-retries inf
(#8328) by Grub4KDownloader changes
Misc. changes
v2023.10.7
Compare Source
v2023.9.24
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.