]> jfr.im git - yt-dlp.git/commit
projects / yt-dlp.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 216f6a3)
[core] Prevent RCE when using `--exec` with `%q` (CVE-2024-22423)
authorSimon Sawicki <redacted>
Mon, 8 Apr 2024 21:18:04 +0000 (23:18 +0200)
committerSimon Sawicki <redacted>
Tue, 9 Apr 2024 16:36:13 +0000 (18:36 +0200)
commitff07792676f404ffff6ee61b5638c9dc1a33a37a
tree6b973d54eeef6c75f80795a3611cf494cc192e4atree | snapshot (tar.bz2 zip tar.gz)
parent216f6a3cb57824e6a3c859649ce058c199b1b247commit | diff
[core] Prevent RCE when using `--exec` with `%q` (CVE-2024-22423)

The shell escape function now properly escapes `%`, `\\` and `\n`. `utils.Popen` as well as `%q` output template expansion have been patched accordingly.

Prior to this fix using `--exec` together with `%q` when on Windows could cause remote code to execute. See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p for more details.

Authored by: Grub4K
devscripts/changelog_override.json diff | blob | blame | history
test/test_utils.py diff | blob | blame | history
yt_dlp/YoutubeDL.py diff | blob | blame | history
yt_dlp/compat/__init__.py diff | blob | blame | history
yt_dlp/utils/_utils.py diff | blob | blame | history
fork of https://github.com/yt-dlp/yt-dlp/