Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remediate File Downloader cookie leak #32445

Merged
merged 13 commits into from
Jul 18, 2023
Merged

Remediate File Downloader cookie leak #32445

merged 13 commits into from
Jul 18, 2023

Conversation

dirkf
Copy link
Contributor

@dirkf dirkf commented Jul 18, 2023
edited
Loading

Boilerplate: mixed code, improvement ## Please follow the guide below
  • You will be asked some questions, please read them carefully and answer honestly
  • Put an x into all the boxes [ ] relevant to your pull request (like that [x])
  • Use Preview tab to see how your pull request will actually look like

Before submitting a pull request make sure you have:

In order to be accepted and merged into youtube-dl each piece of code must be in public domain or released under Unlicense. Check one of the following options:

  • I am the original author of this code and I am willing to release it under Unlicense, except for code from yt-dlp for which this or the below has been asserted
  • I am not the original author of this code but it is in public domain or released under Unlicense (provide reliable evidence)

What is the purpose of your pull request?

  • Bug fix
  • Improvement
  • New extractor
  • New feature

Description of your pull request and other information

During file downloads, youtube-dl or the external downloaders that it invokes may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host.

This PR implements various remediations to avoid this behaviour:

  • removing the Cookie header upon HTTP redirects
  • having native downloaders calculate their own Cookie header from the Cookiejar
  • using each external downloader's built-in support for cookies, instead of passing them as header arguments; or if the external downloader does not have proper cookie support, disabling HTTP redirection (axel only)
  • processing cookies passed as HTTP headers to limit their scope (--add-header "Cookie:..." is scoped to input URL domain only)
  • storing cookies in a separate cookies field of the info dict instead of http_headers so as not to lose their scope.

These remediations match similar ones committed to yt-dlp:
yt-dlp/yt-dlp@1ceb657
yt-dlp/yt-dlp@f8b4bcc
yt-dlp/yt-dlp@3121512
yt-dlp/yt-dlp@6c5211c
yt-dlp/yt-dlp@42ded0a

Thanks to yt-dlp devs involved in GHSA-v8mc-9377-rwjj, especially those referenced in commits here.

dirkf and others added 13 commits July 18, 2023 01:43
@dirkf
[core] Revert version display from b8a86dc
8d2bff7
@dirkf
[utils] Add {expected_type} and Iterable support to traverse_obj()
d661c42
@dirkf
[core] Align error reporting methods with yt-dlp
59b0b02
@dirkf
[test] Make skipped tests in test_execution work with Py 2.6
ae0a49a
@dirkf
[compat] Add Request and HTTPClient compat for redirect
b07ac95 
* support `method` parameter of `Request.__init__`  (Py 2 and old Py 3)
* support `getcode` method of compat_http_client.HTTPResponse (Py 2)
@dirkf
[core] Update redirect handling from yt-dlp
f64709b 
* Thx coletdjnz: yt-dlp/yt-dlp#7094
* add test that redirected `POST` loses its `Content-Type`
@dirkf
[core] Remove Cookie header on redirect to prevent leaks
6bd4602 
Adated from yt-dlp/yt-dlp-GHSA-v8mc-9377-rwjj/pull/1/commits/101caac
Thx coletdjnz
@bashonly @dirkf
[utils] YoutubeDLCookieJar: Add get_cookie_header and `get_cookie…
3ba0284 
…s_for_url` methods
@Grub4K @dirkf
[core] Process header cookies on loading
02471d6
@bashonly @dirkf
[downloader/external] Fix cookie support
c71bc8d
@dirkf
[doc] Warn against setting cookies with --add-header
27b07b5
@dirkf
[test] Fixes for old Pythons
90d7e57
@dirkf
[compat] Fix old Pythons broken loading of valueless cookie attributes
e413fee 
Cookie string parsing in Py 2.6.9, probably earlier, requires `=`.
Also 3.2, though the CPython code appears to be OK: 3.1 was also wrong.
@dirkf dirkf merged commit 47214e4 into ytdl-org:master Jul 18, 2023
20 checks passed
@dirkf dirkf mentioned this pull request Jul 18, 2023
Merged
dirkf referenced this pull request in ytdl-org/ytdl-nightly Jul 18, 2023
@dirkf
Merge pull request #1 from ytdl-org/master-32445
49dd27b 
yt-dl PR #32445
This was referenced Jul 18, 2023
Closed
Merged
@dirkf dirkf mentioned this pull request Jul 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dirkf @bashonly @Grub4K