yt-dlp/yt_dlp
Simon Sawicki ff07792676
[core] Prevent RCE when using --exec with %q (CVE-2024-22423)
The shell escape function now properly escapes `%`, `\\` and `\n`. `utils.Popen` as well as `%q` output template expansion have been patched accordingly.

Prior to this fix using `--exec` together with `%q` when on Windows could cause remote code to execute. See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p for more details.

Authored by: Grub4K
2024-04-09 18:36:13 +02:00
..
__pyinstaller [rh:curlcffi] Add support for curl_cffi 2024-03-16 23:15:11 -05:00
compat [core] Prevent RCE when using --exec with %q (CVE-2024-22423) 2024-04-09 18:36:13 +02:00
dependencies [rh:curlcffi] Add support for curl_cffi 2024-03-16 23:15:11 -05:00
downloader Add new option --progress-delta (#9082) 2024-04-08 22:47:38 +02:00
extractor [ie/jiosaavn] Support playlists (#9622) 2024-04-07 20:55:46 +00:00
networking [cleanup] Misc (#9426) 2024-04-09 16:12:26 +00:00
postprocessor [docs] Misc Cleanup (#8977) 2024-03-11 00:48:47 +05:30
utils [core] Prevent RCE when using --exec with %q (CVE-2024-22423) 2024-04-09 18:36:13 +02:00
__init__.py Add new option --progress-delta (#9082) 2024-04-08 22:47:38 +02:00
__main__.py [docs] Misc Cleanup (#8977) 2024-03-11 00:48:47 +05:30
aes.py [dependencies] Simplify Cryptodome 2023-02-28 23:15:13 +05:30
cache.py [cleanup] Misc 2023-02-17 17:52:22 +05:30
cookies.py [cookies] Add --cookies-from-browser support for Firefox Flatpak (#9619) 2024-04-07 15:28:59 +00:00
jsinterp.py Update to ytdl-commit-07af47 2023-06-21 09:21:23 +05:30
minicurses.py [docs] Consistent use of e.g. (#4643) 2022-08-14 17:34:13 +05:30
options.py Add new option --progress-delta (#9082) 2024-04-08 22:47:38 +02:00
plugins.py [plugins] Handle PermissionError (#9229) 2024-02-20 14:37:37 +05:30
socks.py [cleanup] Misc (#8598) 2023-12-30 22:27:36 +01:00
update.py [cleanup] Misc (#9426) 2024-04-09 16:12:26 +00:00
version.py Release 2024.03.10 2024-03-10 19:40:56 +00:00
webvtt.py [cleanup] Misc (#8968) 2024-03-11 00:52:28 +05:30
YoutubeDL.py [core] Prevent RCE when using --exec with %q (CVE-2024-22423) 2024-04-09 18:36:13 +02:00