Update dependency yt-dlp to v2024 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
yt-dlp	==2023.7.6 -> ==2024.4.9

GitHub Vulnerability Alerts

CVE-2024-22423

Summary

The patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec with %q by replacing double quotes with two double quotes.
However, this escaping is not sufficient, and still allows expansion of environment variables.

Support for output template expansion in --exec, along with this vulnerable behavior, was added to yt-dlp in version 2021.04.11.

> yt-dlp "https://youtu.be/42xO6rVqf2E" --ignore-config -f 18 --exec "echo %(title)q"
[youtube] Extracting URL: https://youtu.be/42xO6rVqf2E
[youtube] 42xO6rVqf2E: Downloading webpage
[youtube] 42xO6rVqf2E: Downloading ios player API JSON
[youtube] 42xO6rVqf2E: Downloading android player API JSON
[youtube] 42xO6rVqf2E: Downloading m3u8 information
[info] 42xO6rVqf2E: Downloading 1 format(s): 18
[download] Destination: %CMDCMDLINE：~-1%&echo pwned&calc.exe [42xO6rVqf2E].mp4
[download] 100% of  126.16KiB in 00:00:00 at 2.46MiB/s
[Exec] Executing command: echo "%CMDCMDLINE:~-1%&echo pwned&calc.exe"
""
pwned

Patches

yt-dlp version 2024.04.09 fixes this issue by properly escaping %. It replaces them with %%cd:~,%, a variable that expands to nothing, leaving only the leading percent.

Workarounds

It is recommended to upgrade yt-dlp to version 2024.04.09 as soon as possible. Also, always be careful when using --exec, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous.

For Windows users who are not able to upgrade:

• Avoid using any output template expansion in --exec other than {} (filepath).
• If expansion in --exec is needed, verify the fields you are using do not contain %, ", | or &.
• Instead of using --exec, write the info json and load the fields from it instead.

Details

When escaping variables, the following code is used for Windows.
yt_dlp/compat/__init__.py line 31-33

    def compat_shlex_quote(s):
        import re
        return s if re.match(r'^[-_\w./]+$', s) else s.replace('"', '""').join('""')

It replaces " with "" to balance out the quotes and keep quoting intact if non-allowed characters are included. However, the %CMDCMDLINE% variable can be used to generate a quote using %CMDCMDLINE:~-1%; since the value of %CMDCMDLINE% is the commandline with which cmd.exe was called, and it is always called with the command surrounded by quotes, %CMDCMDLINE:~-1% expands to ". After the quotes have been unbalanced, special characters are no longer quoted and commands can be executed:

%CMDCMDLINE:~-1%&calc.exe

References

• GHSA-hjq6-52gw-2g7p
• https://nvd.nist.gov/vuln/detail/CVE-2024-22423
• https://github.com/yt-dlp/yt-dlp/releases/tag/2024.04.09
• yt-dlp/yt-dlp@ff07792

---

Release Notes

yt-dlp/yt-dlp (yt-dlp)

v2024.4.9

Compare Source

v2024.3.10

Compare Source

v2023.12.30

Compare Source

Core changes

• Fix format selection parse error for CPython 3.12 (#​8797) by Grub4K
• Let read_stdin obey --quiet by pukkandan
• Merged with youtube-dl be008e6 by bashonly, dirkf, Grub4K
• Parse release_year from release_date (#​8524) by seproDev
• Release workflow and Updater cleanup (#​8640) by bashonly
• Remove Python 3.7 support (#​8361) by bashonly
• Support NO_COLOR environment variable (#​8385) by Grub4K, prettykool
• outtmpl: Support multiplication by pukkandan
• utils: traverse_obj: Move is_user_input into output template (#​8673) by Grub4K
• webvtt: Allow spaces before newlines for CueBlock (#​7681) by TSRBerry (With fixes in 298230e by pukkandan)

Extractor changes

• Add media_type field by trainman261
• Extract from media elements in SMIL manifests (#​8504) by seproDev
• abematv: Fix season metadata (#​8607) by middlingphys
• allstar: Add extractors (#​8274) by S-Aarab
• altcensored: Add extractor (#​8291) by drzraf
• ard: Overhaul extractors (#​8878) by seproDev
• ardbetamediathek: Fix series extraction (#​8687) by lstrojny
• bbc
  • Extract more formats (#​8321) by barsnick, dirkf
  • Fix JSON parsing bug by bashonly
• bfmtv: Fix extractors (#​8651) by bashonly
• bilibili: Support courses and interactive videos (#​8343) by c-basalt
• bitchute: Fix and improve metadata extraction (#​8507) by SirElderling
• box: Fix formats extraction (#​8649) by bashonly
• bundestag: Add extractor (#​8783) by Grub4K
• drtv: Set default ext for m3u8 formats (#​8590) by seproDev
• duoplay: Add extractor (#​8542) by glensc
• eplus: Add login support and DRM detection (#​8661) by pzhlkj6612
• facebook
  • Fix Memories extraction (#​8681) by kclauhk
  • Improve subtitles extraction (#​8296) by kclauhk
• floatplane: Add extractors (#​8639) by seproDev
• francetv: Improve metadata extraction (#​8409) by Fymyte
• instagram: Fix stories extraction (#​8843) by bashonly
• joqrag: Add extractor (#​8384) by pzhlkj6612
• litv: Fix premium content extraction (#​8842) by bashonly
• maariv: Add extractor (#​8331) by amir16yp
• mediastream: Fix authenticated format extraction (#​8657) by NickCis
• nebula: Overhaul extractors (#​8566) by elyse0, pukkandan, seproDev
• nintendo: Fix Nintendo Direct extraction (#​8609) by Grub4K
• ondemandkorea: Fix upgraded format extraction (#​8677) by seproDev
• pr0gramm: Support variant formats and subtitles (#​8674) by Grub4K
• rinsefm: Add extractor (#​8778) by hashFactory
• rudovideo: Add extractor (#​8664) by nicodato
• theguardian: Add extractors (#​8535) by SirElderling
• theplatform: Extract more metadata (#​8635) by trainman261
• twitcasting: Detect livestreams via API and show page (#​8601) by bashonly, JC-Chung
• twitcastinguser: Fix extraction (#​8650) by bashonly
• twitter
  • Extract stale tweets (#​8724) by bashonly
  • Prioritize m3u8 formats (#​8826) by bashonly
  • Work around API rate-limit (#​8825) by bashonly
  • broadcast: Extract concurrent_view_count (#​8600) by sonmezberkay
• vidly: Add extractor (#​8612) by seproDev
• vocaroo: Do not use deprecated getheader (#​8606) by qbnu
• vvvvid: Set user-agent to fix extraction (#​8615) by Kyraminol
• youtube
  • Fix like_count extraction (#​8763) by Ganesh910
  • Improve detection of faulty HLS formats (#​8646) by bashonly
  • Return empty playlist when channel/tab has no videos by pukkandan
  • Support cf.piped.video (#​8514) by OIRNOIR
• zingmp3: Add support for radio and podcasts (#​7189) by hatienl0i261299

Postprocessor changes

• ffmpegmetadata: Embed stream metadata in single format downloads (#​8647) by bashonly

Networking changes

• Strip whitespace around header values (#​8802) by coletdjnz
• Request Handler: websockets: Migrate websockets to networking framework (#​7720) by coletdjnz

Misc. changes

• ci
  • Concurrency optimizations (#​8614) by Grub4K
  • Run core tests only for core changes (#​8841) by Grub4K
• cleanup
  • Fix spelling of IE_NAME (#​8810) by barsnick
  • Remove dead extractors (#​8604) by seproDev
  • Miscellaneous: f9fb3ce by bashonly, Grub4K, pukkandan, seproDev
• devscripts: run_tests: Create Python script (#​8720) by Grub4K (With fixes in 225cf2b)
• docs: Update youtube-dl merge commit in README.md by bashonly
• test: networking: Update tests for OpenSSL 3.2 (#​8814) by bashonly

v2023.11.16

Compare Source

Extractor changes

• abc.net.au: iview, showseries: Fix extraction (#​8586) by bashonly
• beatbump: Update _VALID_URL (#​8576) by seproDev
• dailymotion: Improve _VALID_URL (#​7692) by TravisDupes
• drtv: Fix extractor (#​8484) by almx, seproDev
• eltrecetv: Add extractor (#​8216) by elivinsky
• jiosaavn: Add extractors (#​8307) by awalgarg
• njpwworld: Remove (#​8570) by aarubui
• tv5mondeplus: Extract subtitles (#​4209) by FrankZ85
• twitcasting: Fix livestream detection (#​8574) by JC-Chung
• zenyandex: Fix extraction (#​8454) by starius

Misc. changes

• build: Make secretstorage an optional dependency (#​8585) by bashonly

v2023.11.14

Compare Source

Important changes

• The release channels have been adjusted!
  • master builds are made after each push, containing the latest fixes (but also possibly bugs). This was previously the nightly channel.
  • nightly builds are now made once a day, if there were any changes.
• Security: [CVE-2023-46121] Patch Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection
  • Disallow smuggling of arbitrary http_headers; extractors now only use specific headers

Core changes

• Add --compat-option manifest-filesize-approx (#​8356) by bashonly
• Fix format sorting with --load-info-json (#​8521) by bashonly
• Include build origin in verbose output by bashonly, Grub4K
• Only ensure playlist thumbnail dir if writing thumbs (#​8373) by bashonly
• update: Overhaul self-updater by bashonly, Grub4K

Extractor changes

• Do not smuggle http_headers by coletdjnz
• Do not test truth value of xml.etree.ElementTree.Element (#​8582) by bashonly
• brilliantpala: Fix cookies support (#​8352) by pzhlkj6612
• generic: Improve direct video link ext detection (#​8340) by bashonly
• laxarxames: Add extractor (#​8412) by aniolpages
• n-tv.de: Fix extractor (#​8414) by 1100101
• neteasemusic: Improve metadata extraction (#​8531) by LoserFox
• nhk: Improve metadata extraction (#​8388) by garret1317
• novaembed: Improve _VALID_URL (#​8368) by peci1
• npo: Send POST request to streams API endpoint (#​8413) by bartbroere
• ondemandkorea: Overhaul extractor (#​8386) by seproDev
• orf: podcast: Add extractor (#​8486) by Esokrates
• polskieradio: audition: Fix playlist extraction (#​8459) by shubhexists
• qdance: Update _VALID_URL (#​8426) by bashonly
• radiocomercial: Add extractors (#​8508) by SirElderling
• sbs.co.kr: Add extractors (#​8326) by seproDev
• theatercomplextown: Add extractors (#​8560) by bashonly
• thisav: Remove (#​8346) by bashonly
• thisoldhouse: Add login support (#​8561) by bashonly
• twitcasting: Fix livestream extraction (#​8427) by JC-Chung, saintliao
• twitter
  • broadcast
    • Improve metadata extraction (#​8383) by HitomaruKonpaku
    • Support --wait-for-video (#​8475) by bashonly
• weibo: Fix extraction (#​8463) by c-basalt
• weverse: Fix login error handling (#​8458) by seproDev
• youtube: Check newly uploaded iOS HLS formats (#​8336) by bashonly
• zoom: Extract combined view formats (#​7847) by Mipsters

Downloader changes

• aria2c: Remove duplicate --file-allocation=none (#​8332) by CrendKing
• dash: Force native downloader for --live-from-start (#​8339) by bashonly

Networking changes

• Request Handler: requests: Add handler for requests HTTP library (#​3668) by bashonly, coletdjnz, Grub4K (With fixes in 4e38e2a)

  Adds support for HTTPS proxies and persistent connections (keep-alive)

Misc. changes

• build
  • Include secretstorage in Linux builds by bashonly
  • Overhaul and unify release workflow by bashonly, Grub4K
• ci
  • Bump actions/checkout to v4 by bashonly
  • Run core tests with dependencies by bashonly, coletdjnz
• cleanup
  • Fix changelog typo by bashonly
  • Update documentation for master and nightly channels by bashonly, Grub4K
  • Miscellaneous: b012271 by bashonly, coletdjnz, dirkf, gamer191, Grub4K, seproDev
• test: update: Implement simple updater unit tests by bashonly

v2023.10.13

Compare Source

Core changes

• Ensure thumbnail output directory exists (#​7985) by Riteo
• utils
  • js_to_json: Fix Date constructor parsing (#​8295) by awalgarg, Grub4K
  • write_xattr: Use os.setxattr if available (#​8205) by bashonly, Grub4K

Extractor changes

• artetv: Support age-restricted content (#​8301) by StefanLobbenmeier
• jtbc: Add extractors (#​8314) by seproDev
• mbn: Add extractor (#​8312) by seproDev
• nhk: Fix Japanese-language VOD extraction (#​8309) by garret1317
• radiko: Fix bug with downloader_options by bashonly
• tenplay: Add support for seasons (#​7939) by midnightveil
• youku: Improve tudou.com support (#​8160) by naginatana
• youtube: Fix bug with --extractor-retries inf (#​8328) by Grub4K

Downloader changes

• fragment: Improve progress calculation (#​8241) by Grub4K

Misc. changes

• cleanup: Miscellaneous: b634ba7 by bashonly, gamer191

v2023.10.7

Compare Source

v2023.9.24

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

🦙 MegaLinter status: ❌ ERROR

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
❌ ACTION	actionlint	20		47	0.6s
❌ COPYPASTE	jscpd	yes		1258	52.01s
❌ CSS	stylelint	19	14	1	3.84s
❌ DOCKERFILE	hadolint	1		1	0.26s
✅ ENV	dotenv-linter	1	1	0	0.03s
❌ HTML	djlint	7		56	1668.7s
❌ HTML	htmlhint	7		55	0.41s
❌ JAVASCRIPT	standard	30	30	1	6.86s
❌ JSON	jsonlint	356		1	0.42s
✅ JSON	prettier	356	318	0	58.63s
❌ JSON	v8r	356		1	1.02s
⚠️ MARKDOWN	markdownlint	2414	179	3912	44.35s
❌ MARKDOWN	markdown-link-check	2414		59	6.62s
✅ MARKDOWN	markdown-table-formatter	2414	1526	0	10.47s
❌ REPOSITORY	checkov	yes		70	464.2s
❌ REPOSITORY	gitleaks	yes		422	4265.39s
✅ REPOSITORY	git_diff	yes		no	14.52s
❌ REPOSITORY	grype	yes		1	25.17s
❌ REPOSITORY	secretlint	yes		1	758.1s
❌ REPOSITORY	trivy	yes		1	97.42s
✅ REPOSITORY	trivy-sbom	yes		no	3.04s
✅ REPOSITORY	trufflehog	yes		no	82.89s
❌ SPELL	cspell	6998		190818	6211.53s
❌ SPELL	lychee	5759		1	3.99s
❌ TYPESCRIPT	ts-standard	7	0	1	0.68s
✅ YAML	prettier	1215	1200	0	217.48s
❌ YAML	v8r	1215		1	1.3s
❌ YAML	yamllint	1215		1	867.3s

See detailed report in MegaLinter reports

MegaLinter is graciously provided by