[core] Prevent RCE when using `--exec` with `%q` (CVE-2024-22423)

The shell escape function now properly escapes `%`, `\\` and `\n`. `utils.Popen` as well as `%q` output template expansion have been patched accordingly. Prior to this fix using `--exec` together with `%q` when on Windows could cause remote code to execute. See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p for more details. Authored by: Grub4K
author: Simon Sawicki <contact@grub4k.xyz> 2024-04-08 23:18:04 +0200
committer: Simon Sawicki <contact@grub4k.xyz> 2024-04-09 18:36:13 +0200
commit: ff07792676f404ffff6ee61b5638c9dc1a33a37a (patch)
tree: 6b973d54eeef6c75f80795a3611cf494cc192e4a /test/test_utils.py
parent: 216f6a3cb57824e6a3c859649ce058c199b1b247 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/test/test_utils.py b/test/test_utils.py
index 71febeefd..ddf0a7c24 100644
--- a/test/test_utils.py
+++ b/test/test_utils.py
@@ -2069,6 +2069,10 @@ Line 1
 
         # Test escaping
         assert run_shell(['echo', 'test"&']) == '"test""&"\n'
+        assert run_shell(['echo', '%CMDCMDLINE:~-1%&']) == '"%CMDCMDLINE:~-1%&"\n'
+        assert run_shell(['echo', 'a\nb']) == '"a"\n"b"\n'
+        assert run_shell(['echo', '"']) == '""""\n'
+        assert run_shell(['echo', '\\']) == '\\\n'
         # Test if delayed expansion is disabled
         assert run_shell(['echo', '^!']) == '"^!"\n'
         assert run_shell('echo "^!"') == '"^!"\n'
author	Simon Sawicki <contact@grub4k.xyz>	2024-04-08 23:18:04 +0200
committer	Simon Sawicki <contact@grub4k.xyz>	2024-04-09 18:36:13 +0200
commit	ff07792676f404ffff6ee61b5638c9dc1a33a37a (patch)
tree	6b973d54eeef6c75f80795a3611cf494cc192e4a /test/test_utils.py
parent	216f6a3cb57824e6a3c859649ce058c199b1b247 (diff)