New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Re-enable file URLs #3675
Comments
Doesn't that work? (If not, show verbose log) So what is the question again? |
Title. How do I get it to read a local podcast XML file? Is that just disabled due to file:// |
Also I don't see how parsing and downloading from a file on disk is more dangerous than parsing and downloading from some URL online |
We could add a switch to enable it (with a warning). See ytdl-org/youtube-dl#8227 for why it was disabled Related: ytdl-org/youtube-dl#22408 |
The limitation does not prevent malicious URLs hosted online and is pretty easy to circumvent with a local server, and shouldn't be an issue if yt-dlp not run with elevated permissions (which it should never need to be). I can open a PR but if you can make a quick fix with like |
It does not appear you have understood the problem. Read the linked issues again. That said, an option to enable it should be fine. PR is welcome |
Why would we need a warning? You'd expect a server administrator to be smart enough not to enable it, and afaik it doesn't pose any security risks to regular users (I could be wrong) |
I agree. Passing switches from untrusted sources is already not safe due to |
Now that I think about it though, I wonder if it would be possible for websites to maliciously gain access to yt-dlp's output. I doubt it, but I'm not 100% sure. Also, I wonder if this could potentially be a privilege escalation vulnerability (which isn't necessarily enough reason to not do it) |
Not sure what you mean here
yt-dlp does not use any low level system APIs. So if any privilege escalation exists, it will because of reasons beyond our control - ie, vulnerability in either the OS or python. Besides, I don't see how that is relevant here. The |
Another workaround for now that doesn't require hosting a server: read the file into a data url (which is supported by yt-dlp) On bash/zsh you can do: |
I have added an option to enable file urls in #2861 |
Checklist
Question
Is it possible to force yt-dlp to read a file with generic extractor like it were a url? I have a RSS XML file and file:// prefix is forbidden, so I used a local python http.server as a workaround.
Verbose log
No response
The text was updated successfully, but these errors were encountered: