diff options
| author | Thomas Gerbet <thomas@gerbet.me> | 2024-07-04 00:35:24 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-07-03 22:35:24 +0000 |
| commit | 6075a029dba70a89675ae1250e7cdfd91f0eba41 (patch) | |
| tree | 68c251925d2bcc89619d5281c9431bb0af8ae832 | |
| parent | cc767e9490056efaaa11c186b0d032e4b4969180 (diff) | |
[ie/douyutv] Do not use dangerous javascript source/URL (#10347)
Ref: https://sansec.io/research/polyfill-supply-chain-attack
Authored by: LeSuisse
| -rw-r--r-- | yt_dlp/extractor/douyutv.py | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/yt_dlp/extractor/douyutv.py b/yt_dlp/extractor/douyutv.py index fdf19c252..e36eac919 100644 --- a/yt_dlp/extractor/douyutv.py +++ b/yt_dlp/extractor/douyutv.py @@ -24,8 +24,9 @@ from ..utils import ( class DouyuBaseIE(InfoExtractor): def _download_cryptojs_md5(self, video_id): for url in [ + # XXX: Do NOT use cdn.bootcdn.net; ref: https://sansec.io/research/polyfill-supply-chain-attack 'https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/md5.js', - 'https://cdn.bootcdn.net/ajax/libs/crypto-js/3.1.2/rollups/md5.js', + 'https://unpkg.com/cryptojslib@3.1.2/rollups/md5.js', ]: js_code = self._download_webpage( url, video_id, note='Downloading signing dependency', fatal=False) @@ -35,7 +36,8 @@ class DouyuBaseIE(InfoExtractor): raise ExtractorError('Unable to download JS dependency (crypto-js/md5)') def _get_cryptojs_md5(self, video_id): - return self.cache.load('douyu', 'crypto-js-md5') or self._download_cryptojs_md5(video_id) + return self.cache.load( + 'douyu', 'crypto-js-md5', min_ver='2024.07.04') or self._download_cryptojs_md5(video_id) def _calc_sign(self, sign_func, video_id, a): b = uuid.uuid4().hex |