Skip to content

/ youtube-dl

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow "file://" URLs #22408

Open
atom-smasher opened this issue Sep 15, 2019 · 3 comments
Open

Allow "file://" URLs #22408

atom-smasher opened this issue Sep 15, 2019 · 3 comments
Labels
request

Comments

@atom-smasher
Copy link

@atom-smasher atom-smasher commented Sep 15, 2019
edited

Checklist

  • I'm reporting a feature request
  • I've verified that I'm running youtube-dl version 2019.09.12.1
  • I've searched the bugtracker for similar feature requests including closed ones

Description

#8228 disabled use of "file://" for good reasons. However not all of us run youtube-dl on a server, and there are instances where treating a local file as a URL with a "file://" protocol is necessary and desired.

While a command-line option to override that security fix would be trivial to circumvent (if youtube-dl is being run on a server), a config-file-only option would retain security where it is needed (and allow that functionality if it's needed on a desktop).

Request: A config-file option to allow use of "file://" URLs (eg "--allow-file-url"). If that option is present on the command-line, youtube-dl should respond either by ignoring it or exiting immediately with a non-zero status.

This would allow a secure method for users to explicitly choose to allow use of "file://" URLs. The default behaviour would remain secure, and it would not be possible to over-ride the secure behaviour via command-line options.
@clytras clytras mentioned this issue Mar 6, 2020
Merged
@clytras
Copy link

@clytras clytras commented Mar 6, 2020

I totally support this. To me, #8228 was unnecessary. If a user has access to files such as /etc/passwd then that user does not need youtube-dl to get them, they can just cat /etc/passwd or even curl file:///etc/passwd.
@ilyadh
Copy link

@ilyadh ilyadh commented Apr 17, 2020

I support this too. I needed to download a .m3u8 file to tinker with it a little and then run youtube-dl from local.

This restriction is inconvenient and definitely should be an option instead of a fixed behavior.

To work around this, I started a server to serve local files from a directory and then ran youtube-dl http://localhost:3000/list.m3u8
@clytras
Copy link

@clytras clytras commented Apr 20, 2020

@atom-smasher even on a server, no script or CLI program should be run with elavated access such as root or admins. There are filesystem mechanisms to protect the system. If these CLI tools or scripts are executing with elevated access like sudoers, then the whole system is a big hole that anyone can missuse and pass through.

I do run such scripts and CLI tools on a bunch of servers, but I never run these under elevated user access.

This PR was unnecessary.
@ytdl-org ytdl-org locked and limited conversation to collaborators Apr 20, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
request
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@clytras @atom-smasher @ilyadh
You can’t perform that action at this time.