From ff07792676f404ffff6ee61b5638c9dc1a33a37a Mon Sep 17 00:00:00 2001
From: Simon Sawicki <contact@grub4k.xyz>
Date: Mon, 8 Apr 2024 23:18:04 +0200
Subject: [core] Prevent RCE when using `--exec` with `%q` (CVE-2024-22423)

The shell escape function now properly escapes `%`, `\\` and `\n`. `utils.Popen` as well as `%q` output template expansion have been patched accordingly.

Prior to this fix using `--exec` together with `%q` when on Windows could cause remote code to execute. See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p for more details.

Authored by: Grub4K
---
 test/test_utils.py | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'test/test_utils.py')

diff --git a/test/test_utils.py b/test/test_utils.py
index 71febeefd..ddf0a7c24 100644
--- a/test/test_utils.py
+++ b/test/test_utils.py
@@ -2069,6 +2069,10 @@ Line 1
 
         # Test escaping
         assert run_shell(['echo', 'test"&']) == '"test""&"\n'
+        assert run_shell(['echo', '%CMDCMDLINE:~-1%&']) == '"%CMDCMDLINE:~-1%&"\n'
+        assert run_shell(['echo', 'a\nb']) == '"a"\n"b"\n'
+        assert run_shell(['echo', '"']) == '""""\n'
+        assert run_shell(['echo', '\\']) == '\\\n'
         # Test if delayed expansion is disabled
         assert run_shell(['echo', '^!']) == '"^!"\n'
         assert run_shell('echo "^!"') == '"^!"\n'
-- 
cgit v1.2.3