[YoutubeDL] urlopen: disable the 'file:' protocol (#8227)

If someone is running youtube-dl on a server to deliver files, the user could input 'file:///some/important/file' and youtube-dl would save that file as a video giving access to sensitive information to the user.
'file:' urls can be filtered, but the user can use an URL to a crafted m3u8 manifest like:

    #EXTM3U
    #EXT-X-MEDIA-SEQUENCE:0
    #EXTINF:10.0
    file:///etc/passwd
    #EXT-X-ENDLIST

With this patch 'file:' URLs raise URLError like for unknown protocols.

1 files changed, 8 insertions, 2 deletions

diff --git a/youtube_dl/YoutubeDL.py b/youtube_dl/YoutubeDL.py
index d50b7cfed..e8ce58604 100755
--- a/youtube_dl/YoutubeDL.py
+++ b/youtube_dl/YoutubeDL.py
@@ -1986,8 +1986,14 @@ class YoutubeDL(object):
         https_handler = make_HTTPS_handler(self.params, debuglevel=debuglevel)
         ydlh = YoutubeDLHandler(self.params, debuglevel=debuglevel)
         data_handler = compat_urllib_request_DataHandler()
-        opener = compat_urllib_request.build_opener(
-            proxy_handler, https_handler, cookie_processor, ydlh, data_handler)
+        unknown_handler = compat_urllib_request.UnknownHandler()
+        handlers = (proxy_handler, https_handler, cookie_processor, ydlh, data_handler, unknown_handler)
+        # we don't use build_opener because it automatically adds FileHandler,
+        # which can be used for malicious purposes (see
+        # https://github.com/rg3/youtube-dl/issues/8227)
+        opener = compat_urllib_request.OpenerDirector()
+        for handler in handlers:
+            opener.add_handler(handler)
 
         # Delete the default user-agent header, which would otherwise apply in
         # cases where our custom HTTP handler doesn't come into play