You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've verified that I'm running youtube-dl version 2021.12.17
I've searched the bugtracker for similar feature requests including closed ones
Description
The generic extractor currently follows redirects blindly. This is not an issue when running youtube-dl locally, however when it is used in a web app this can allow an attacker to run a SSRF attack.
Even if the web app does not allow calling youtube-dl on internal URLs, an attacker could still craft an external URL redirecting to an internal resource.
Because of this, apps sending requests to arbitrary external URLs should disable redirects in the HTTP client but youtube-dl provides no easy way to do this.
I see two solutions to this:
Add a way to disable the generic extractor
Add a flag that would make this extractor not follow redirects
The text was updated successfully, but these errors were encountered:
Checklist
Description
The generic extractor currently follows redirects blindly. This is not an issue when running youtube-dl locally, however when it is used in a web app this can allow an attacker to run a SSRF attack.
Even if the web app does not allow calling youtube-dl on internal URLs, an attacker could still craft an external URL redirecting to an internal resource.
Because of this, apps sending requests to arbitrary external URLs should disable redirects in the HTTP client but youtube-dl provides no easy way to do this.
I see two solutions to this:
The text was updated successfully, but these errors were encountered: