aboutsummaryrefslogtreecommitdiff
path: root/youtube_dl/YoutubeDL.py
diff options
context:
space:
mode:
authorJaime Marquínez Ferrándiz <jaime.marquinez.ferrandiz@gmail.com>2016-01-14 00:16:23 +0100
committerJaime Marquínez Ferrándiz <jaime.marquinez.ferrandiz@gmail.com>2016-01-14 00:24:04 +0100
commite37afbe0b8a1222cb214ad0bec9a53bb7953531d (patch)
tree0c4c36ab11221b1bbad642b980198db3ed6c95db /youtube_dl/YoutubeDL.py
parent40cf7fcbd2e30747065ca7b8bf4467a9582a4aa9 (diff)
[YoutubeDL] urlopen: disable the 'file:' protocol (#8227)
If someone is running youtube-dl on a server to deliver files, the user could input 'file:///some/important/file' and youtube-dl would save that file as a video giving access to sensitive information to the user. 'file:' urls can be filtered, but the user can use an URL to a crafted m3u8 manifest like: #EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0 file:///etc/passwd #EXT-X-ENDLIST With this patch 'file:' URLs raise URLError like for unknown protocols.
Diffstat (limited to 'youtube_dl/YoutubeDL.py')
-rwxr-xr-xyoutube_dl/YoutubeDL.py10
1 files changed, 8 insertions, 2 deletions
diff --git a/youtube_dl/YoutubeDL.py b/youtube_dl/YoutubeDL.py
index d50b7cfed..e8ce58604 100755
--- a/youtube_dl/YoutubeDL.py
+++ b/youtube_dl/YoutubeDL.py
@@ -1986,8 +1986,14 @@ class YoutubeDL(object):
https_handler = make_HTTPS_handler(self.params, debuglevel=debuglevel)
ydlh = YoutubeDLHandler(self.params, debuglevel=debuglevel)
data_handler = compat_urllib_request_DataHandler()
- opener = compat_urllib_request.build_opener(
- proxy_handler, https_handler, cookie_processor, ydlh, data_handler)
+ unknown_handler = compat_urllib_request.UnknownHandler()
+ handlers = (proxy_handler, https_handler, cookie_processor, ydlh, data_handler, unknown_handler)
+ # we don't use build_opener because it automatically adds FileHandler,
+ # which can be used for malicious purposes (see
+ # https://github.com/rg3/youtube-dl/issues/8227)
+ opener = compat_urllib_request.OpenerDirector()
+ for handler in handlers:
+ opener.add_handler(handler)
# Delete the default user-agent header, which would otherwise apply in
# cases where our custom HTTP handler doesn't come into play