diff options
| author | bashonly <bashonly@bashonly.com> | 2023-08-16 18:42:48 -0500 |
|---|---|---|
| committer | Simon Sawicki <contact@grub4k.xyz> | 2023-11-14 22:04:25 +0100 |
| commit | f04b5bedad7b281bee9814686bba1762bae092eb (patch) | |
| tree | c18255b7b8d917a21ef1d4aa1fd66b62806fed8c /yt_dlp/extractor/generic.py | |
| parent | d4f14a72dc1dd79396e0e80980268aee902b61e4 (diff) | |
[ie] Do not smuggle `http_headers`
See: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x
Authored by: coletdjnz
Diffstat (limited to 'yt_dlp/extractor/generic.py')
| -rw-r--r-- | yt_dlp/extractor/generic.py | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/yt_dlp/extractor/generic.py b/yt_dlp/extractor/generic.py index ac7cc673f..1503e5146 100644 --- a/yt_dlp/extractor/generic.py +++ b/yt_dlp/extractor/generic.py @@ -17,6 +17,7 @@ from ..utils import ( determine_protocol, dict_get, extract_basic_auth, + filter_dict, format_field, int_or_none, is_html, @@ -2435,10 +2436,10 @@ class GenericIE(InfoExtractor): # to accept raw bytes and being able to download only a chunk. # It may probably better to solve this by checking Content-Type for application/octet-stream # after a HEAD request, but not sure if we can rely on this. - full_response = self._request_webpage(url, video_id, headers={ + full_response = self._request_webpage(url, video_id, headers=filter_dict({ 'Accept-Encoding': 'identity', - **smuggled_data.get('http_headers', {}) - }) + 'Referer': smuggled_data.get('referer'), + })) new_url = full_response.url url = urllib.parse.urlparse(url)._replace(scheme=urllib.parse.urlparse(new_url).scheme).geturl() if new_url != extract_basic_auth(url)[0]: @@ -2458,7 +2459,7 @@ class GenericIE(InfoExtractor): m = re.match(r'^(?P<type>audio|video|application(?=/(?:ogg$|(?:vnd\.apple\.|x-)?mpegurl)))/(?P<format_id>[^;\s]+)', content_type) if m: self.report_detected('direct video link') - headers = smuggled_data.get('http_headers', {}) + headers = filter_dict({'Referer': smuggled_data.get('referer')}) format_id = str(m.group('format_id')) ext = determine_ext(url, default_ext=None) or urlhandle_detect_ext(full_response) subtitles = {} @@ -2710,7 +2711,7 @@ class GenericIE(InfoExtractor): 'url': smuggle_url(json_ld['url'], { 'force_videoid': video_id, 'to_generic': True, - 'http_headers': {'Referer': url}, + 'referer': url, }), }, json_ld)] |