[ie] Limit netrc_machine parameter to shell-safe characters

Also adapts some extractor regexes to adhere to this limitation See: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm Authored by: Grub4K
2026-02-22 08:26:00 +00:00 · 2026-02-14 23:34:51 +01:00
parent c105461647
commit 1fbbe29b99
5 changed files with 17 additions and 8 deletions
--- a/test/test_InfoExtractor.py
+++ b/test/test_InfoExtractor.py
@@ -76,6 +76,8 @@ class TestInfoExtractor(unittest.TestCase):
            self.assertEqual(ie._get_netrc_login_info(netrc_machine='empty_pass'), ('user', ''))
            self.assertEqual(ie._get_netrc_login_info(netrc_machine='both_empty'), ('', ''))
            self.assertEqual(ie._get_netrc_login_info(netrc_machine='nonexistent'), (None, None))
+            with self.assertRaises(ExtractorError):
+                ie._get_netrc_login_info(netrc_machine=';echo rce')

    def test_html_search_regex(self):
        html = '<p id="foo">Watch this <a href="http://www.youtube.com/watch?v=BaW_jenozKc">video</a></p>'
--- a/yt_dlp/extractor/common.py
+++ b/yt_dlp/extractor/common.py
@@ -661,9 +661,11 @@ class InfoExtractor:
        if not self._ready:
            self._initialize_pre_login()
            if self.supports_login():
-                username, password = self._get_login_info()
-                if username:
-                    self._perform_login(username, password)
+                # try login only if it would actually do anything
+                if type(self)._perform_login is not InfoExtractor._perform_login:
+                    username, password = self._get_login_info()
+                    if username:
+                        self._perform_login(username, password)
            elif self.get_param('username') and False not in (self.IE_DESC, self._NETRC_MACHINE):
                self.report_warning(f'Login with password is not supported for this website. {self._login_hint("cookies")}')
            self._real_initialize()
@@ -1385,6 +1387,11 @@ class InfoExtractor:

    def _get_netrc_login_info(self, netrc_machine=None):
        netrc_machine = netrc_machine or self._NETRC_MACHINE
+        if not netrc_machine:
+            raise ExtractorError(f'Missing netrc_machine and {type(self).__name__}._NETRC_MACHINE')
+        ALLOWED = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_'
+        if netrc_machine.startswith(('-', '_')) or not all(c in ALLOWED for c in netrc_machine):
+            raise ExtractorError(f'Invalid netrc machine: {netrc_machine!r}', expected=True)

        cmd = self.get_param('netrc_cmd')
        if cmd:
--- a/yt_dlp/extractor/getcourseru.py
+++ b/yt_dlp/extractor/getcourseru.py
@@ -59,7 +59,7 @@ class GetCourseRuIE(InfoExtractor):
        'marafon.mani-beauty.com',
        'on.psbook.ru',
    ]
-    _BASE_URL_RE = rf'https?://(?:(?!player02\.)[^.]+\.getcourse\.(?:ru|io)|{"|".join(map(re.escape, _DOMAINS))})'
+    _BASE_URL_RE = rf'https?://(?:(?!player02\.)[a-zA-Z0-9-]+\.getcourse\.(?:ru|io)|{"|".join(map(re.escape, _DOMAINS))})'
    _VALID_URL = [
        rf'{_BASE_URL_RE}/(?!pl/|teach/)(?P<id>[^?#]+)',
        rf'{_BASE_URL_RE}/(?:pl/)?teach/control/lesson/view\?(?:[^#]+&)?id=(?P<id>\d+)',
--- a/yt_dlp/extractor/pornhub.py
+++ b/yt_dlp/extractor/pornhub.py
@@ -128,7 +128,7 @@ class PornHubIE(PornHubBaseIE):
    _VALID_URL = rf'''(?x)
                    https?://
                        (?:
-                            (?:[^/]+\.)?
+                            (?:[a-zA-Z0-9.-]+\.)?
                            {PornHubBaseIE._PORNHUB_HOST_RE}
                            /(?:(?:view_video\.php|video/show)\?viewkey=|embed/)|
                            (?:www\.)?thumbzilla\.com/video/
@@ -534,7 +534,7 @@ class PornHubPlaylistBaseIE(PornHubBaseIE):


 class PornHubUserIE(PornHubPlaylistBaseIE):
-    _VALID_URL = rf'(?P<url>https?://(?:[^/]+\.)?{PornHubBaseIE._PORNHUB_HOST_RE}/(?:(?:user|channel)s|model|pornstar)/(?P<id>[^/?#&]+))(?:[?#&]|/(?!videos)|$)'
+    _VALID_URL = rf'(?P<url>https?://(?:[a-zA-Z0-9.-]+\.)?{PornHubBaseIE._PORNHUB_HOST_RE}/(?:(?:user|channel)s|model|pornstar)/(?P<id>[^/?#&]+))(?:[?#&]|/(?!videos)|$)'
    _TESTS = [{
        'url': 'https://www.pornhub.com/model/zoe_ph',
        'playlist_mincount': 118,
--- a/yt_dlp/extractor/teachable.py
+++ b/yt_dlp/extractor/teachable.py
@@ -102,7 +102,7 @@ class TeachableIE(TeachableBaseIE):
    _WORKING = False
    _VALID_URL = r'''(?x)
                    (?:
-                        {}https?://(?P<site_t>[^/]+)|
+                        {}https?://(?P<site_t>[a-zA-Z0-9.-]+)|
                        https?://(?:www\.)?(?P<site>{})
                    )
                    /courses/[^/]+/lectures/(?P<id>\d+)
@@ -211,7 +211,7 @@ class TeachableIE(TeachableBaseIE):
 class TeachableCourseIE(TeachableBaseIE):
    _VALID_URL = r'''(?x)
                        (?:
-                            {}https?://(?P<site_t>[^/]+)|
+                            {}https?://(?P<site_t>[a-zA-Z0-9.-]+)|
                            https?://(?:www\.)?(?P<site>{})
                        )
                        /(?:courses|p)/(?:enrolled/)?(?P<id>[^/?#&]+)