]> jfr.im git - yt-dlp.git/commit
projects / yt-dlp.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 61bdf15)
[core] Prevent RCE when using `--exec` with `%q` (CVE-2023-40581)
authorSimon Sawicki <redacted>
Sun, 24 Sep 2023 00:29:01 +0000 (02:29 +0200)
committerSimon Sawicki <redacted>
Sun, 24 Sep 2023 00:29:01 +0000 (02:29 +0200)
commitde015e930747165dbb8fcd360f8775fd973b7d6e
tree7588e5aefdba5eb635a8690b824b1a49672342d8tree | snapshot (tar.bz2 zip tar.gz)
parent61bdf15fc7400601c3da1aa7a43917310a5bf391commit | diff
[core] Prevent RCE when using `--exec` with `%q` (CVE-2023-40581)

The shell escape function is now using `""` instead of `\"`. `utils.Popen` has been patched to properly quote commands.

Prior to this fix using `--exec` together with `%q` when on Windows could cause remote code to execute. See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg for reference.

Authored by: Grub4K
devscripts/changelog_override.json diff | blob | blame | history
test/test_YoutubeDL.py diff | blob | blame | history
test/test_utils.py diff | blob | blame | history
yt_dlp/compat/__init__.py diff | blob | blame | history
yt_dlp/postprocessor/exec.py diff | blob | blame | history
yt_dlp/utils/_utils.py diff | blob | blame | history
fork of https://github.com/yt-dlp/yt-dlp/